Driving System and Test Method

The present application is a continuation application of International Patent Application No. PCT/JP2024/025492 filed on Jul. 16, 2024 which designated the U. S. and claims the benefit of priority from Japanese Patent Application No. 2023-128126 filed on Aug. 4, 2023. The entire disclosures of all of the above applications are incorporated herein by reference.

The disclosure in this description relates to a technique for improving performance of a driving system in a vehicle.

A related art discloses a system for driving a vehicle. In this system, a safety model such as a driving policy and an RSS model is implemented as software, making a system applicable to several millions of vehicles conforming to the requirements of safety statements.

According to an aspect of the present disclosure, a driving system to be mounted on a vehicle includes at least one processor, and at least one storage medium configured to store at least one piece of software. Automated driving is enabled by operating the software by the processor in a manner of allowing authority transfer between a system itself and a user. The processor is configured to execute requesting consent of the user to perform a test on test software for improving the software, and operating the test software when the consent of the user is acquired. In requesting consent of the user, the processor may request the consent of the user in conjunction with a timing of the authority transfer.

It is required to execute a verification and validation (V&V) process and execute an improvement on such a driving system. This improvement is also required for vehicles shipped to the market.

The present disclosure provides a driving system and a test method suitable for improving performance.

According to one aspect of the present disclosure, a driving system to be mounted on a vehicle is provided. The driving system includes: at least one processor; and at least one storage medium configured to store at least one piece of software. Automated driving is enabled by operating the software by the processor in a manner of allowing authority transfer between a system itself and a user. The processor is configured to execute requesting consent of the user to perform a test on test software for improving the software, and operating the test software when the consent of the user is acquired. In requesting consent of the user, the processor requests the consent of the user in conjunction with a timing of the authority transfer.

According to such an aspect, the consent of the user to the conduction of the test of the test software is requested in conjunction with the timing of the authority transfer. That is, the consent to the test software to be used after the authority transfer between the driving system and the user can be acquired together with the authority transfer. Therefore, the validity of conducting the test can be ensured while reducing the inconvenience felt by the user for acquiring the consent. Therefore, a driving system suitable for conducting an improvement in performance can be provided.

According to one aspect of the present disclosure, a test method for conducting, in a driving system to be mounted on a vehicle that includes at least one processor and at least one storage medium configured to store at least one piece of software, and that is configured to enable automated driving by operating the software by the processor in a manner of allowing authority transfer between a system itself and a user, a test regarding the software by the processor, is provided. The test method includes: requesting, in conjunction with a timing of the authority transfer, consent of the user to perform a test on test software for improving the software; acquiring the consent of the user by sensing an operation of the user on an operation input device of the vehicle in response to the request; operating the test software when the consent of the user is acquired; and prohibiting an operation of the test software when the consent of the user is not acquired.

According to such an aspect, the consent of the user to the conduction of the test of the test software is requested in conjunction with the timing of the authority transfer. That is, the consent to the test software to be used after the authority transfer between the driving system and the user can be acquired together with the authority transfer. Therefore, the validity of conducting the test can be ensured while reducing the inconvenience felt by the user for acquiring the consent. Therefore, a test method suitable for improving performance can be provided.

Hereinafter, multiple embodiments will be described with reference to the drawings. Duplicate description may be omitted by assigning the same reference numerals to the corresponding elements in each embodiment. When only a part of a configuration is described in each embodiment, the configurations of the other embodiments described above can be applied to the other parts of the configuration. In addition, configurations specified in the description of each embodiment can be combined, and especially, configurations of multiple embodiments can be partially combined even though not specified herein so long as no problem occurs in the combination thereof.

In the following multiple embodiments, contents of “Safety First for Automated Driving” Tech. Rep., 2019, by Aptiv, Audi, Baidu, BMW, Continental, Daimler, FCA, here, Infineon, Intel, and Volkswagen, contents of “On a formal model of safe and scalable self-driving cars”, arXiv: 1708.06374, 2017, by S. Shalev-Shwartz, S. Shammah, and A. Shashua, contents of “The Safety Force Field” Technical Report, 2019, by David Nister, Hon-Leung Lee, Julia Ng, Yizhou Wang, contents of IEEE 2846-2022 are incorporated by reference in their entirety.

The following describes terms related to this disclosure. This description is included in the embodiments of this disclosure.

A road user may be a traffic participant on or adjacent to an active road for the purpose of moving from a certain place to another place.

A dynamic driving task (DDT) may be a real-time operation functionality and a real-time strategic functionality for operating a vehicle in traffic. The dynamic driving task may be all real-time operation functionalities and real-time strategic functionalities for operating the vehicle on the road.

An automated driving system (ADS) may be a batch of hardware and software capable of continuously executing the entire DDT regardless of whether the automated driving system is limited to a specific operational design domain.

ADS functionality (ADS feature) may be design-specific functionality of the ADS in a specific ODD at a predetermined automated driving level.

A DDT fallback may be a response by a driver or an automated system to either execute a DDT or transition to a minimal risk condition after a failure occurs or upon detection of a functional insufficiency or a potentially hazardous behavior. The DDT fallback may be a method of transition control from autonomy to control by a driver or other system using takeover/fallback states and associated use cases. The DDT fallback may be a response by the user for executing the DDT or achieving an MRC after the occurrence of a system failure related to the DDT performance or during deviation from the ODD, or a response by the ADS for achieving the MRC when placed in the same situation.

The minimal risk condition (MRC) may be a vehicle state in order to reduce the risk, when a predetermined trip cannot be completed. The minimal risk condition may be a stable stop state that the user or the ADS brings to the vehicle after the DDT fallback is executed in order to reduce the risk of an accident when the predetermined trip cannot or should not be continued.

The operational design domain (ODD) may be a specific condition which is designed such that a predetermined (automated) driving system functionalities. The operational design domain is an operation condition specially designed such that a predetermined ADS or a functionality thereof functions, and includes, but is not limited to, the presence or absence of requirements of environmental, geography, and time zone restrictions, and/or certain traffic/road properties.

Safety of the intended functionality (SOTIF) may mean absence of an unreasonable risk caused by functional insufficiency for an intended functionality or implementation thereof.

A driving policy may be a strategy and a rule defining a control action at a vehicle level.

A situation is a factor that can affect a behavior of a system, and may include traffic situations, weather, and the behavior of the ego-vehicle.

A scenario may be a description of the temporal relationships between several scenes in a series of scenes, including goals and values in a specific situation influenced by actions and events. The scenario may be a description of consecutive activities in time series in which a vehicle as a main-object, all external environments thereof, and interactions thereof in a process of executing a specific driving task are integrated.

A safety-relevant object may be any moving or static object that may be relevant to the safety performance of the DDT.

The term “reasonably foreseeable” may mean being technically reliable and having a credible or measurable occurrence rate.

A triggering condition may be a specific condition of a scenario functioning as a trigger for a response that is a response of a subsequent system and that contributes to inability to prevent, detect, and reduce hazardous behaviors and reasonably foreseeable indirect misuse.

The safety-related model may be representation of a safety-related aspect of the driving action based on assumptions on the reasonably foreseeable behavior of other road users. The safety-related model may be an on-board or off-board checker or an on-board or off-board safety analysis device, a mathematical model, a set of more conceptual rules, a set of scenario-based behavior, or a combination thereof.

A formal model may be a model represented in a formal representation used for system performance verification.

A safety envelope may be a set of restrictions and conditions that are designed for a (automated) driving system to operate as a target for a constraint or a control in order to maintain an operation at an acceptable risk level. The safety envelope may be a general concept that can be used to deal with all principles on which the driving policy can be based. According to this concept, an ego-vehicle operated by the (automated) driving system can have one or multiple boundaries around the ego-vehicle.

A response time may be a time required for the road user to sense a specific stimulus and start executing a response (braking, steering, acceleration, stopping, or the like) in a predetermined scenario.

The risk acceptance criteria/criterion are/is criteria/a criterion indicating that there is no unreasonable level of risk, and may be, for example, a physical parameter defining when a specific behavior is regarded as a dangerous behavior, the maximum number of accidents per hour, the lowest level reasonably executable, or the like. as a hazardous behavior, the maximum number of incidents per hour, as low as reasonably practicable.

The positive risk balance may be a criterion to demonstrate that a technical solution achieves an acceptable level of residual risk.

A vulnerable road user (VRU) may be a road user not in vehicles such as a car, a public transport agency, or a train. The vulnerable road user may be an unprotected road user, such as a motorcyclist, a cyclist, a pedestrian, or a person with a disability or with reduced mobility and orientation.

A proper response may be an action that is significant to avoid and ameliorate a hazardous situation in a reasonably foreseeable scenario in which other safety-relevant objects are operating within an assumption range.

The object and event detection and response (OEDR) may be a sub-task of the DDT including monitoring the driving environment and executing an appropriate response to such an object or event.

The minimal risk maneuver (MRM) may be a movement of the vehicle instructed by the automated driving system during the DDT fallback to achieve the MRC.

2 1 2 1 1 1 1 FIG. A driving systemof a first embodiment illustrated inimplements functionalities related to driving of a vehicle. A part or all of the driving systemis mounted on the vehicle. The vehiclemay be referred to as an ego-vehicle, a host vehicle, or the like. The vehiclemay be configured to communicate with another vehicle or the like directly or indirectly via communication infrastructure. The other vehicle is referred to as a target vehicle in some cases.

1 1 2 2 The vehiclemay be, for example, a road user capable of executing manual driving of a four-wheeled automobile or a truck. The vehiclemay further be capable of executing automated driving. The automated driving may be referred to as autonomous driving by the driving system. Levels of the driving are classified in accordance with a range or the like of tasks executed by a human driver, among all dynamic driving tasks (DDTs). The automation level is defined, for example, in SAE J3016. At levels 0 to 2, the driver performs a part or all of the DDT. Levels 0 to 2 may be classified as so-called manual driving. Level 0 indicates that driving is not automated. Level 1 indicates that the driving systemassists the driver. Level 2 indicates that driving is partially automated.

2 At level 3 or higher, the driving systemperforms the entire DDT while the ADS functionality (ADS feature) is operating. Levels 3 to 5 may be classified as so-called automated driving. Systems capable of executing driving at level 3 or higher may be referred to as automated driving systems (ADS). A vehicle on which an automated driving system is mounted or a vehicle capable of executing driving at level 3 or higher may be referred to as an automated vehicle/autonomous vehicle (AV).

2 Level 3 indicates that driving is conditionally automated. The automated driving system at level 3 executes the DDT but does not execute the DDT fallback. That is, the DDT fallback is executed by a driver who is ready for fallback. Level 4 indicates that driving is highly automated. The automated driving system at level 4 executes the DDT and the DDT fallback. The automated driving system at level 4 can cause the driver to take over the DDT after reaching the minimal risk condition (MRC) by executing the DDT fallback or the like. Level 5 indicates that driving is fully automated. The takeover of the DDT between the driving systemand the human driver is also referred to as authority transfer.

2 The conditions for executing automated driving at levels 3 and 4 may include some or all of the conditions indicated by the operational design domain (ODD). For example, the ADS functionality may be defined within the range of ODD. The driving systemdescribed in the present embodiment is a driving system capable of executing automated driving at level 3 or 4.

2 2 An architecture of the driving systemis selected such that an efficient safety of the intended functionality (SOTIF) process can be implemented. For example, the architecture of the driving systemmay be configured based on a sense-plan-act model. The sense-plan-act model includes a sense element, a plan element, and an act element, as main system elements. The sense element, the plan element, and the act element interact with one another. The sense may be replaced with perception, the plan may be replaced with determination, and the act may be replaced with control, respectively.

2 40 50 60 In such a driving system, at a functional level (in other words, from a functional perspective), a sensing functionality, a planning functionality, and an acting functionality are implemented. At a technical level (in other words, a technical perspective), at least multiple sensorscorresponding to the sensing functionality, at least one processing systemcorresponding to the planning functionality, and multiple motion actuatorscorresponding to the acting functionality are implemented.

10 40 50 40 50 40 2 20 26 50 2 30 60 60 2 Specifically, a sensing unitas a functional block for implementing the sensing functionality mainly using the multiple sensors, a processing systemthat processes sense information of the multiple sensors, and a processing systemthat generates an environment model based on information of the multiple sensorsmay be constructed in the driving system. A planning unitand a risk checking unitas functional blocks that implement the planning functionality mainly using the processing systemmay be constructed in the driving system. An acting unitas a functional block for implementing the acting functionality mainly using multiple motion actuatorsand at least one processing system that outputs an operation signal of the multiple motion actuatorsmay be constructed in the driving system.

10 20 30 20 10 30 26 30 10 20 The sensing unitmay be implemented in a form of a sensing system serving as a subsystem that is provided to be distinguishable from the planning unitand the acting unit. The planning unitmay be implemented in a form of a planning system as a subsystem that is provided to be distinguishable from the sensing unitand the acting unit. The planning system may include the risk checking unit. The acting unitmay be implemented in a form of an acting system serving as a subsystem that is provided to be distinguishable from the sensing unitand the planning unit. The sensing system, the planning system, and the acting system may constitute independent components. The subsystem here may be replaced with a module, a unit, a device, or the like.

10 1 10 1 2 10 20 10 30 20 The sensing unitserves as the sensing functionality including localization (for example, estimation of position) of a road user such as the vehicleand another vehicle. The sensing unitsenses an external environment, an internal environment, and a vehicle state of the vehicleand further, a state of the driving system. The sensing unitfuses the sensed information to generate an environment model. The environment model may be referred to as a world model. The planning unitapplies a purpose and a driving policy to the environment model generated by the sensing unitto derive a control action. The acting unitexecutes the control action derived by the planning unit.

26 1 26 20 20 1 FIG. The risk checking unitimplements a risk checking functionality of checking a risk occurring in the vehicle. The risk checking unitmay be implemented independently of the planning unitas illustrated in, or may be implemented as a part of the planning functionality of the planning unit.

2 2 40 60 70 50 2 FIG. An example of a physical architecture of the driving systemwill be described with reference to. The driving systemincludes the multiple sensors, the multiple motion actuators, multiple HMI devices, and at least one processing system. These elements can communicate with each other through one or both of a wireless connection and a wired connection. These elements may be capable of communicating with each other through, for example, an in-vehicle network such as a CAN (registered trademark).

40 41 40 42 43 44 The multiple sensorsinclude one or multiple external environment sensors. The multiple sensorsmay include at least one type among one or multiple internal environment sensors, one or multiple communication systems, and a map database (DB).

41 1 41 41 1 The external environment sensormay detect a target object present in the external environment of the vehicle. Examples of the external environment sensorof a target object detection type include a camera, a light detection and ranging/laser imaging detection and ranging (LiDAR), a laser radar, a millimeter wave radar, an ultrasonic sonar, and the like. Typically, a combination of multiple types of external environment sensorsmay be mounted to monitor directions including a front direction, a side direction, and a rear direction of the vehicle.

41 1 41 The external environment sensormay detect a state of an atmosphere or a state of weather in the external environment of the vehicle. The external environment sensorof a state detection type is, for example, an outside air temperature sensor, a temperature sensor, or a raindrop sensor.

42 1 42 42 1 42 60 1 The internal environment sensormay detect a specific physical quantity (hereinafter, a motion physical quantity) related to a vehicle motion in the internal environment of the vehicle. Examples of the internal environment sensorof a motion physical quantity detection type include a velocity sensor, an acceleration sensor, a gyro sensor, and the like. The internal environment sensormay detect a state of an occupant in the internal environment of the vehicle. The internal environment sensorof an occupant detection type is, for example, an actuator sensor, a sensor monitoring a user (for example, a driver) and a system thereof, a biometric sensor, a seating sensor, or an in-vehicle device sensor. In particular, examples of the actuator sensor include an accelerator sensor, a brake sensor, a steering sensor, and the like that detect an operation state of the occupant with respect to the motion actuatorrelated to motion control of the vehicle.

43 2 43 1 43 The communication systemacquires communication data usable in the driving systemthrough wireless communication. The communication systemmay receive a positioning signal from an artificial satellite of a global navigation satellite system (GNSS) present in the external environment of the vehicle. A communication device of a positioning type in the communication systemis, for example, a GNSS receiver.

43 96 1 43 1 The communication systemmay transmit and receive communication signals to and from an external system (for example, a server) present in the external environment of the vehicle. A communication device of a V2X type in the communication systemis, for example, a dedicated short range communications (DSRC) communication device, or a cellular V2X (C-V2X) communication device. Examples of the communication with a V2X system present in the external environment of the vehicleinclude communication with a communication system of another vehicle (V2V), communication with infrastructure such as a communication device set in a traffic light or a roadside device (V2I), communication with a mobile terminal of a pedestrian (V2P), communication with a network such as a cloud server (V2N), and the like. An architecture of the V2X communication, including the V2I communication, may adopt an architecture defined in ISO 21217, ETSI TS 102 940-943, IEEE 1609, or the like.

43 1 91 43 The communication systemmay transmit and receive a communication signal to and from the internal environment of the vehicle, for example, with a mobile terminalsuch as a smartphone present in the vehicle. A communication device of a terminal communication type in the communication systemis, for example, a Bluetooth (registered trademark) device, a Wi-Fi (registered trademark) device, or an infrared communication device.

44 2 44 44 1 44 44 44 The map DBis a database for storing map data usable in the driving system. The map DBincludes at least one type of non-transitory tangible storage medium of, for example, a semiconductor memory, a magnetic medium, or an optical medium. The map DBmay include a database of a navigation unit that navigates a travel route of the vehicleto a destination. The map DBmay include a database of a probe data (PD) map generated by using PD collected from each vehicle. The map DBmay include a database of a high definition map having a high level of definition mainly used for an automated driving system. The map DBmay include a database of a parking lot map including specific parking lot information, for example, parking space markings information, used for automated parking or parking support.

44 2 43 1 The map DBappropriate to the driving systemacquires and stores the latest map data through, for example, communication with a map server via the communication systemof a V2X type. The map data is converted into two-dimensional or three-dimensional data as data indicating the external environment of the vehicle. The map data may include, for example, road data representing at least one type among positional coordinates, a shape, and a road surface condition of a road structure and a standard roadway. The map data may include marking data representing at least one type of, for example, a road sign, a road display, and a positional coordinate and a shape of a lane marking attached to a road. The marking data included in the map data may represent, for example, a traffic sign, an arrow marking, a lane marking, a stop line, a direction sign, a landmark beacon, a business sign, or a change in a line pattern of a road among target objects. The map data may include structure data representing at least one type of positional coordinates, a shape, and the like of a building and a traffic light facing the road, for example. The marking data included in the map data may represent, for example, a streetlight, a road edge, a reflecting plate, or a pole among the target objects.

60 60 60 60 The motion actuatoris capable of controlling a vehicle motion based on an input control signal. The motion actuatorof a driving type is a power train including, for example, at least one type among an internal combustion engine, a drive motor, and the like. The motion actuatorof a braking type is, for example, a brake actuator. The motion actuatorof a steering type is, for example, a steering.

70 1 70 1 2 70 10 70 30 70 Multiple human machine interface (HMI) devicesmay be mounted in the vehicle. The HMI deviceimplements a human machine interaction, which is an interaction between a user of the vehicleand the driving system. Some of the multiple HMI devices, which implement an operation input functionality for the occupant, may be a part of the sensing unit. Some of the multiple HMI devices, which implement an information presentation functionality, may be a part of the acting unit. Meanwhile, the functionality implemented by the HMI devicemay be provided as a functionality independent of the sensing functionality, the planning functionality, and the acting functionality.

70 70 1 2 70 70 60 60 60 a a The HMI devicemay be an operation input devicecapable of inputting an operation by the user to transmit the will or intention of the user of the vehicleto the driving system. The HMI deviceof an operation input type, that is, the operation input device, is, for example, an accelerator pedal, a brake pedal, a shift lever, a steering wheel, a turn signal lever, a mechanical switch, and a touch panel of a navigation unit or the like. Among those, the accelerator pedal controls the power train serving as the motion actuator. The brake pedal controls the brake actuator serving as the motion actuator. The steering wheel controls a steering actuator serving as the motion actuator.

70 70 1 70 70 70 70 b b The HMI devicemay be an information presentation devicethat presents information such as visual information, auditory information, and cutaneous sensory information to the user of the vehicle. The HMI deviceof a visual information presentation type, that is, the information presentation device, is, for example, a combination meter, a graphic meter, the navigation unit, a center information display (CID), a head-up display (HUD), and an illumination unit. The HMI deviceof an auditory information presentation type is, for example, a speaker and a buzzer. The HMI deviceof a cutaneous sensory information presentation type is, for example, a vibration unit of the steering wheel, a vibration unit of a driver's seat, a reaction force unit of the steering wheel, a reaction force unit of the accelerator pedal, a reaction force unit of the brake pedal, and an air conditioning unit.

70 91 43 70 70 The HMI devicemay implement an HMI functionality in cooperation with the mobile terminalsuch as a smartphone by communicating with the terminal through the communication system. For example, the HMI devicemay present information acquired from a smartphone to the user. For example, an operation input to the smartphone may be used as an alternative to an operation input to the HMI device.

50 50 50 70 70 At least one processing systemis provided. For example, the processing systemmay be an integrative processing system that executes a process related to the sensing functionality, a process related to the planning functionality, and a process related to the acting functionality in an integrated manner. In this case, the integrative processing systemmay further execute a process related to the HMI device, and an HMI dedicated processing system may be separately provided. For example, the HMI dedicated processing system may be an integrated cockpit system that integrally executes a process related to each HMI device.

50 For example, the processing systemmay include each of at least one processing unit corresponding to the process related to the sensing functionality, at least one processing unit corresponding to the process related to the planning functionality, and at least one processing unit corresponding to the process related to the acting functionality.

50 50 60 70 The processing systemincludes a communication interface for an outside, and is connected to at least one type of elements related to the process performed by the processing systemamong each sensor, the motion actuator, the HMI device, and the like via at least one type among, for example, a local area network (LAN), a wire harness, an internal bus, and a wireless communication circuit.

50 51 50 51 The processing systemincludes at least one dedicated computer. The processing systemmay combine multiple dedicated computersto implement a functionality such as the sensing functionality, the planning functionality, and the acting functionality.

51 50 1 51 50 51 50 1 51 50 1 51 50 1 For example, the dedicated computerconstituting the processing systemmay be an integrated ECU that integrates driving functionalities of the vehicle. The dedicated computerconstituting the processing systemmay be a determination ECU that determines a DDT. The dedicated computerconstituting the processing systemmay be a monitoring ECU that monitors driving of the vehicle. The dedicated computerconstituting the processing systemmay be an evaluation ECU that evaluates driving of the vehicle. The dedicated computerconstituting the processing systemmay be a navigation ECU that navigates a travel route of the vehicle.

51 50 1 51 50 41 51 50 60 1 51 50 70 51 50 91 43 The dedicated computerconstituting the processing systemmay be a locator ECU that estimates a position of the vehicle. The dedicated computerconstituting the processing systemmay be an image processing ECU that processes image data detected by the external environment sensor. The dedicated computerconstituting the processing systemmay be an actuator ECU that controls the motion actuatorof the vehicle. The dedicated computerconstituting the processing systemmay be an HMI control unit (HCU) that integrally controls the HMI devices. The dedicated computerconstituting the processing systemmay be, for example, at least one external computer that is provided in an external center or the mobile terminalthat enables communication via the communication system.

51 50 51 51 51 51 51 51 a b a b a b The dedicated computerconstituting the processing systemincludes at least one memoryand at least one processor. The memorymay be, for example, at least one type of non-transitory tangible storage medium, such as a semiconductor memory, a magnetic medium, and an optical medium, which non-temporarily stores a computer program, data, and the like that can be read by the processor. For example, a rewritable volatile storage medium such as a random access memory (RAM) may be provided as the memory. The processorincludes, for example, at least one type of a central processing unit (CPU), a graphics processing unit (GPU), and a reduced instruction set computer (RISC)-CPU as a core.

51 50 51 51 51 a b The dedicated computerconstituting the processing systemmay be a system on a chip (SoC) in which the memory, the processor, and an interface are integrally implemented on one chip, or at least one SoC may be provided as an element of the dedicated computer.

50 The processing systemmay include at least one database for executing the DDT. The database may include, for example, a non-transitory tangible storage medium of at least one type of a semiconductor memory, a magnetic medium, and an optical medium, and an interface for accessing the storage medium.

59 58 59 58 50 2 59 58 50 43 The database may be a scenario database (hereinafter, referred to as “scenario DB”). The database may be a rule database (hereinafter, rule DB). At least one of the scenario DBand the rule DBmay not be provided in the processing system, but may be provided independently in the driving system. At least one of the scenario DBand the rule DBmay be provided in an external system present in an external environment and configured to be accessible from the processing systemvia the communication system.

59 1 2 1 59 The scenario DBhas a scenario catalog in which multiple scenarios used for driving the vehicleare stored. The driving systemcan, for example, apply the situation in which the vehicleis located to one scenario selected from multiple scenarios or a combination of multiple scenarios. The scenario DBmay store multiple scenarios including at least one of a functional scenario, a logical scenario, and a concrete scenario. The functional scenario defines a top-level qualitative scenario structure. The logical scenario is a scenario obtained by assigning a quantitative parameter range to a structured functional scenario. The concrete scenario defines a boundary of a safety determination for distinguishing between a safe state and an unsafe state.

58 1 1 The rule DBstores a rule set used for driving the vehicle. The rule set may include multiple rules. The rule set may further include a structure of the degree of priority for a series of rules, which is set based on a relative importance among the multiple rules. The rule set may be an implementation of guidelines for strategic driving of the vehicle.

The multiple rules may include rules based on laws, regulations, and a combination thereof. The multiple rules may include rules based on a preference that is not influenced by the laws, the regulations, or the like. The multiple rules may include rules based on a motion behavior based on an experience in the past. The multiple rules may include rules based on a characterization of a motion environment. The multiple rules may include rules based on ethical concerns. The multiple rules may include rules based on a basic principle of a safety model to be described below (for example, the five principles of an RSS model). The plurality of rules may include a traffic rule. The traffic rule may be a rule defined in the Road Traffic Law, or may be a rule based on national or regional customs.

58 10 20 44 The rules such as the traffic rules stored in the rule DBmay be positioned as the information provided from the sensing unitto the planning unitby the sensing functionality, similarly to the map information acquired from the map DB.

50 55 2 55 55 55 c c The processing systemmay also include at least one recording devicethat records at least one of the sensing information, planning information, and action information of the driving system. The recording devicemay include at least one large-capacity storage medium. The storage mediummay be at least one type of non-transitory tangible storage medium among, for example, a semiconductor memory, a magnetic medium, and an optical medium.

55 55 55 c c The storage mediummay be mounted on a substrate in a form that is not easily detachable or replaceable, and in this form, for example, an embedded Multi Media Card (eMMC) or the like using a flash memory may be adopted. At least one of the storage mediamay be in a form that is detachable and replaceable with respect to the recording device, and in this form, for example, an SD card or the like may be adopted.

55 55 The recording devicemay have a functionality of selecting information to be recorded from among the sensing information, the planning information, and the action information. In this case, the recording devicemay include a dedicated computer.

55 55 55 55 55 55 55 a b a b a b The dedicated computer provided in the recording devicehas at least one memoryand at least one processor. The memorymay be, for example, at least one type of non-transitory tangible storage medium, such as a semiconductor memory, a magnetic medium, and an optical medium, which non-temporarily stores a computer program, data, and the like that can be read by the processor. For example, a rewritable volatile storage medium such as a random access memory (RAM) may be provided as the memory. The processorincludes, for example, at least one type of a central processing unit (CPU), a graphics processing unit (GPU), and a reduced instruction set computer (RISC)-CPU as a core.

55 55 a b The dedicated computer may be a system on a chip (SoC) in which the memory, the processor, and an interface are integrally implemented on one chip, or at least one SoC may be provided as an element of the dedicated computer.

55 55 2 55 55 55 55 c c b The recording devicemay access the storage medium, and execute recording in accordance with a data writing command from each unit of the driving system. The recording devicemay determine information transmitted to the in-vehicle network, access the storage medium, and execute recording based on determination of the processorprovided in the recording device.

55 50 2 55 50 43 The recording devicemay not be provided in the processing systembut may be provided independently in the driving system. The recording devicemay be provided in the external system present in the external environment, and configured to be accessible from the processing systemvia the communication system.

50 53 The processing systemmay include at least one risk checker.

53 53 51 53 20 26 The risk checkermay be one aspect of on-board implementation of responsibility sensitive safety (RSS) as a safety model. The risk checkermay be an on-board checker for the planning functionality implemented by the dedicated computer. The risk checkerimplements, by hardware independent of the planning unit, the risk checking unitthat implements the risk checking functionality.

53 53 53 55 55 55 55 a b a b a b The risk checkermay be configured mainly with a dedicated computer having at least one memoryand at least one processor. The memorymay be, for example, at least one type of non-transitory tangible storage medium, such as a semiconductor memory, a magnetic medium, and an optical medium, which non-temporarily stores a computer program, data, and the like that can be read by the processor. For example, a rewritable volatile storage medium such as a random access memory (RAM) may be provided as the memory. The processorincludes, for example, at least one type of a central processing unit (CPU), a graphics processing unit (GPU), and a reduced instruction set computer (RISC)-CPU as a core.

53 53 a b The dedicated computer may be a system on a chip (SoC) in which the memory, the processor, and an interface are integrally implemented on one chip, or at least one SoC may be provided as an element of the dedicated computer.

50 51 53 55 51 53 55 2 2 2 2 a a a b b b As described above, the processing systemincludes the memories,, andthat store software. The processors,, andare configured to implement automated driving by operating software so that authority transfer can be implemented between the system itself and the user. The software herein may include a computer program itself used in the driving system. The software herein may include an algorithm in the computer program used in the driving system. The software herein may include parameters in the computer program used in the driving system. The software herein may include an AI or a trained model, such as a neural network, used in the driving system.

2 10 11 12 13 3 FIG. Next, an example of a logical architecture of the driving systemwill be described with reference to. The description herein will focus on a process performed by a computer program executed during automated driving at level 3 or higher. The sensing unitmay include an environment perception unit, a self-position perception unit, and an internal perception unitas processing units for implementing, by executing a computer program by the processor, sub-functionalities obtained by further classifying the sensing functionalities.

11 40 11 41 11 1 41 The environment perception unitindividually processes information (referred to as sensor data in some cases) on an external environment acquired from each sensorand implements a functionality of perceiving the external environment including a target object, other road users, and the like. The environment perception unitprocesses detection data detected by each external environment sensorindividually. The detection data may be detection data provided from, for example, a millimeter wave radar, a sonar, or a LiDAR. The environment perception unitmay generate relative position data including a direction, a size, and a distance of an object with respect to the vehicle, from raw data detected by the external environment sensor.

11 1 The detection data may be image data provided from, for example, a camera or a LIDAR. The environment perception unitprocesses the image data, and extracts an object that is reflected in an angle of view of the image. The extraction of the object may include estimation of the direction, the size, and the distance of the object with respect to the vehicle. The extraction of the object may include, for example, classification of the object by using semantic segmentation.

11 43 11 44 The environment perception unitprocesses information acquired through a V2X functionality of the communication system. The environment perception unitprocesses information acquired from the map DB.

11 The environment perception unitmay be further classified into multiple sensor perception units each optimized for one sensor group. The sensor perception unit may fuse information of one sensor group when the sensor perception unit is associated to perceive information of the one sensor group.

12 1 12 1 43 12 11 12 44 12 1 The self-position perception unitconducts localization of the vehicle. The self-position perception unitacquires global position data of the vehiclefrom the communication system(for example, a GNSS receiver). In addition, the self-position perception unitmay acquire position information of the target object extracted by the environment perception unit. The self-position perception unitacquires map information from the map DB. The self-position perception unitintegrates these pieces of information to estimate a position of the vehicleon a map.

13 42 1 60 70 The internal perception unitimplements a functionality of perceiving a vehicle state by processing detection data detected by each internal environment sensor. The vehicle state may include a state of a motion physical quantity of the vehicledetected by a velocity sensor, an acceleration sensor, a gyro sensor, or the like. The vehicle state may include at least one type of a state of a user, an operation state of the user with respect to the motion actuator, and a switching state of the HMI devices.

20 21 22 23 The planning unitmay include a prediction unit, a driving planning unit, and a mode management unitas processing units for implementing, by executing a computer program by the processor, sub-functionalities obtained by further classifying the planning functionalities.

21 11 12 13 21 1 The prediction unitacquires external environment information perceived by the environment perception unitand the self-position perception unit, the vehicle state perceived by the internal perception unit, and the like. The prediction unitmay interpret an environment based on the acquired information, and estimate the current situation in which the vehicleis located. The situation here may be an operational situation, or may include an operational situation.

21 21 The prediction unitmay interpret the environment and predict actions of objects such as other road users. The object here may be a safety-relevant object. The prediction of the action here may include at least one of prediction of a velocity of the object, prediction of an acceleration of the object, and prediction of a trajectory of the object. The prediction of the act may be executed based on a reasonably foreseeable assumption. The prediction unitmay estimate an intention of the user, based on the predicted action, the predicted potential hazard, and the acquired vehicle state.

22 1 1 12 21 23 The driving planning unitplans automated driving of the vehicle, based on at least one type of estimation information of the position of the vehicleon the map provided by the self-position perception unit, prediction information and user intention estimation information provided by the prediction unit, functional constraint information provided by the mode management unit, and the like.

22 1 The driving planning unitimplements a route planning functionality, a behavior planning functionality, and a trajectory planning functionality. The route planning functionality is a functionality of planning at least one of a route to a destination and a lane plan at a middle distance based on the estimation information of the position of the vehicleon the map. The route planning functionality may further include a functionality of determining at least one request of a lane changing request and a deceleration request, based on the lane plan at the middle distance. The route planning functionality may be a mission/route planning functionality in a strategic functionality, or may be a functionality of outputting a mission plan and a route plan.

1 21 23 1 1 1 1 The behavior planning functionality is a functionality of planning a behavior of the vehicle, based on at least one of the route to the destination and the lane plan at the middle distance planned by the route planning functionality, the lane changing request and the deceleration request, the prediction information and the user intention estimation information provided by the prediction unit, and the functional constraint information provided by the mode management unit. The behavior planning functionality may include a functionality of generating a condition related to a state transition of the vehicle. The condition related to the state transition of the vehiclemay correspond to a triggering condition. The behavior planning functionality may include a functionality of determining a state transition of an application that implements a DDT, and further include a functionality of determining a state transition of a driving action, based on the condition. The behavior planning functionality may include a functionality of determining a constraint related to a path of the vehiclein a longitudinal direction and a constraint related to the path of the vehiclein a lateral direction, based on information on these state transitions. The behavior planning functionality may be a strategic behavior plan in a DDT functionality, or may output a strategic behavior.

1 21 1 1 The trajectory planning functionality is a functionality of planning a travel trajectory of the vehicle, based on the determination information provided by the prediction unit, the constraint related to the path of the vehiclein the longitudinal direction, and the constraint related to the path of the vehiclein the lateral direction. The trajectory planning functionality may include a functionality of generating a path plan. The path plan may include a velocity plan, or the velocity plan may be generated as a plan independent of the path plan. The trajectory planning functionality may include a functionality of generating multiple path plans and selecting an optimal path plan from the multiple path plans, or a functionality of switching between the path plans. The trajectory planning functionality may further include a functionality of generating backup data of the generated path plan. The trajectory planning functionality may be a trajectory planning functionality in the DDT functionality, or may output a trajectory plan.

23 2 23 2 23 2 23 13 23 13 40 22 The mode management unitmonitors the driving system, and sets a constraint on a functionality related to driving. The mode management unitmay manage a mode of automated driving, for example, a state of the automation level. The management of the automation level may include switching between manual driving and automated driving, that is, authority transfer between the user and the driving system, that is, management of takeover of driving. The mode management unitmay monitor a state of a subsystem related to the driving system, and determine a defect of the system (for example, an error, an unstable operation state, a system failure, or a failure). The mode management unitmay determine a mode based on the intention of the user, based on the user intention estimation information generated by the internal perception unit. The mode management unitmay set a constraint on a functionality related to driving, based on at least one of a determination result of the defect of the system, a determination result of the mode, and further, the vehicle state provided by the internal perception unit, a sensor abnormality (or sensor failure) signal output from the sensor, state transition information of the application and the trajectory plan provided by the driving planning unit, and the like.

23 1 1 22 23 The mode management unitmay have a functionality of determining the constraint related to the path of the vehiclein the longitudinal direction and the constraint related to the path of the vehiclein the lateral direction in an integrated manner, in addition to the constraint on a functionality related to driving. In this case, the driving planning unitplans a behavior and plans a trajectory, in accordance with the constraint determined by the mode management unit.

26 20 27 28 29 21 22 23 26 20 26 21 22 23 3 FIG. When the risk checking unitis implemented independently of the planning unit, a situation extraction unit, a situation checking unit, a response unit, and the like to be described below may be provided separately from the prediction unit, the driving planning unit, and the mode management unitin. When the risk checking unitis implemented as a part of the planning unit, the risk checking functionality of the risk checking unitmay be implemented as a part of the functionalities implemented by the prediction unit, the driving planning unit, and the mode management unit.

30 31 71 31 1 22 31 60 The acting unitmay include a motion control unitand an HMI output unitas processing units for implementing, by executing a computer program by the processor, sub-functionalities obtained by further classifying the action functionalities. The motion control unitcontrols a motion of the vehicle, based on the trajectory plan (for example, the path plan and the velocity plan) acquired from the driving planning unit. Specifically, the motion control unitgenerates accelerator request information, shift request information, brake request information, and steering request information corresponding to the trajectory plan, and outputs the accelerator request information, the shift request information, the brake request information, and the steering request information to the motion actuator.

31 1 10 13 10 1 The motion control unitis capable of directly acquiring the vehicle state, for example, at least one of a current velocity, a current acceleration, and a current yaw rate of the vehicle, perceived by the sensing unit(particularly, the internal perception unit) from the sensing unit, and reflecting the vehicle state on the motion control of the vehicle.

71 21 22 23 71 71 70 71 The HMI output unitoutputs information on an HMI, based on at least one of the prediction information and the user intention estimation information provided by the prediction unit, the state transition information of the application and the trajectory plan provided by the driving planning unit, the functional constraint information provided by the mode management unit, and the like. The HMI output unitmay manage a vehicle interaction. The HMI output unitmay generate a notification request based on a management state of the vehicle interaction, and control an information presentation functionality of the HMI devices. The HMI output unitmay generate a control request for a wiper, a sensor cleaning device, a headlight, and an air conditioner based on the management state of the vehicle interaction, and control these devices.

2 The driving systemmay implement a safety model of automated driving. The safety model is a model for demonstrating that there is no acceptable risk in a specific operational design domain. The safety model may correspond to, for example, a safety driving model, a safety-related model, or a formal model. As the safety model, for example, the RSS model may be adopted. Meanwhile, another model, a more generalized model, or a complex model obtained by combining multiple models may also be adopted.

For example, in the RSS model, five rules (five principles) are adopted. The first rule is “Do not hit someone from behind”. The second rule is “Do not cut-in recklessly”. The third rule is “Right-of-way is given, not taken”. The fourth rule is, “Be careful of area another one, you must do it”. The fifth rule is “If you can avoid an accident without causing another one, you must do it”.

Based on the five rules, particularly the first and second rules, a safety envelope may be defined. For example, the safety envelope may mean a longitudinal safety distance and a lateral safety distance with respect to other road users or may mean a condition or a concept for calculating these safety distances. The safety distance is an example of a geometric approach.

min f max, brake max, accel 1 1 4 FIG. A longitudinal safety distance dmay be a distance at which a rear-end collision does not occur when a preceding vehicle OV, traveling at a velocity v, brakes at a maximum deceleration aand stops, even when a rear vehicle (for example, vehicle) accelerates with a response time p and a maximum acceleration a, and then brakes at a minimum deceleration amin, brake and stops, as illustrated in.

brake, front 1 Here, the stopping distance dof the preceding vehicle OVis expressed by the following expression 1.

reaction, rear 1 The reaction distance dof the rear vehicle (vehicle) is expressed by the following expression 2.

brake, rear 1 The braking distance dof the rear vehicle (vehicle) is expressed by the following Formula 3.

min 1 The safety distance dis expressed by the expression shown in the following Formula 4 as a value obtained by adding the braking distance of the rear vehicle to the reaction distance of the rear vehicle and subtracting the stopping distance of the preceding vehicle OV.

min 1 2 max, accel min, brake 1 2 5 FIG. The longitudinal safety distance dmay be a distance at which a head-on collision does not occur even when two vehicles, the vehicleand a vehicle OVare traveling toward each other at their respective velocities vand v, accelerate with the predetermined response time p and the maximum acceleration a, and then brake and stop at the minimum deceleration a, as illustrated in.

reaction, 1 1 Here, the reaction distance dof the vehicleis expressed by the expression shown in the following Formula 5.

brake, 1 1 The braking distance dof the vehicleis expressed by the expression shown in the following Formula 6.

reaction, 2 2 The reaction distance dof the vehicle OVis expressed by the expression shown in the following Formula 7.

brake, 2 2 The braking distance dof the vehicle OVis expressed by the expression shown in the following Formula 8.

min 1 1 2 2 The safety distance dis expressed by the expression shown in the following Formula 9 as a sum of the reaction distance of the vehicle, the braking distance of the vehicle, the reaction distance of the vehicle OV, and the braking distance of the vehicle OV.

min 1 2 max, accel max, brake 1 3 6 FIG. The lateral safety distance dmay be a distance at which a minimum distance μ is secured and a collision does not occur even when two vehicles, the vehicleand a vehicle OVare traveling side by side at the lateral velocities vand v, respectively, accelerate at the predetermined response time ρ and the maximum acceleration a, and then decelerate in the lateral direction at the maximum deceleration a, as illustrated in.

reaction, 1 1 Here, the reaction distance dof the vehicleis represented by the expression shown in the following Formula 10.

brake, 1 1 The braking distance dof the vehicleis expressed by the expression shown in the following Formula 11.

reaction, 2 3 The reaction distance dof the vehicle OVis represented by the expression shown in the following Formula 12.

brake, 2 3 The braking distance dof the vehicle OVis represented by the expression shown in the following Formula 13.

min 1 1 3 3 The safety distance dis expressed by the expression shown in the following Formula 14 as a sum of the reaction distance of the vehicle, the braking distance of the vehicle, the reaction distance of the vehicle OV, and the braking distance of the vehicle OV.

7 FIG. 1 A coordinate system used in the safety model may be a lane-based coordinate system. As illustrated in, this coordinate system processes movement of the vehiclein a direction along a lane LA by defining a center line of the lane LA, that is, a lane axis ALA along a curve of a road. On the other hand, in order to define a longitudinal axis and a lateral axis of each road user, a road-user-based coordinate system may be used. This coordinate system is based on a center of gravity of the road user and defines an ordinate and an abscissa depending on a heading angle of the road user.

1 FIG. 26 2 20 26 10 30 26 27 28 29 For example, as illustrated in, the risk checking unitimplemented in the driving systemis arranged in parallel with the planning unitand executes a calculation process. Specifically, the risk checking unitacquires an environment model, sensor data, or the like from the sensing unit, evaluates a risk based on these pieces of information, and outputs a response according to the risk to the acting unit. This series of functionalities or processes may be referred to as risk checking or risk monitoring. The risk checking unitmay include the situation extraction unit, the situation checking unit, and the response unitas sub-blocks obtained by further classifying the functionalities.

27 10 1 1 1 27 The situation extraction unitextracts a situation based on information acquired from the sensing unit. Data indicating the situation (hereinafter, situation data) may include a list of objects present in the vicinity of the vehicle(hereinafter, surrounding objects). The surrounding objects may include other road users. The situation data may include data indicative of a potential conflict between the vehicleand the surrounding object. In this case, the situation data may include a probability of the presence, and an uncertainty of a position, an orientation, and a velocity of the vehicleand the surrounding object. The situation extraction unitmay extract multiple situations. The situation may be a traffic situation. The situation may be selected from a series of considered situations.

28 27 28 The situation checking unitchecks whether the situation extracted by the situation extraction unitis a safe situation or a hazardous situation. The situation checking unitexecutes at least one of checking by the geometric approach described above and checking by using another methodology. The checking here may be referred to as checking of a risk. When the checking of the risk is executed, a safety envelope may refer to an acceptable collision risk.

1 The checking of the risk may include checking of an estimated result of the collision risk between the vehicleand the surrounding object. The collision risk may include a collision risk over time, and may include a peak collision risk. The collision risk may be a probability of collision. That is, an uncertainty can be taken into account in the checking of the risk.

28 28 28 28 28 28 When the safety envelope is violated, the situation checking unitdetermines that a situation as a checking target is a hazardous situation. When the situation checking unitexecutes checking of the risk, the situation checking unitmay compare the estimated collision risk value with a threshold of an acceptable collision risk. When the estimated collision risk value is below the threshold of the acceptable collision risk, the situation checking unitmay determine that the situation as a checking target is a safe situation. When the estimated collision risk value exceeds the threshold of the acceptable collision risk, the situation checking unitmay determine that the situation as a checking target is a hazardous situation. That is, when there is no violation of the safety envelope, the situation checking unitdetermines that the situation as a checking target is a safe situation. This risk threshold may be, for example, a longitudinal safety distance and a lateral safety distance.

28 The situation checking unitmay set a hypothesis on the surrounding object, and check a risk based on the hypothesis. In this case, multiple hypotheses may be used. The hypothesis may be or may include an assumption on a reasonably foreseeable behavior. The hypothesis may be a prediction derived based on this assumption, and may include the prediction derived based on this assumption.

That is, there is a possibility that an assumed kinematic value is influenced by an acceptable risk level. The acceptable risk level or risk threshold may be set in advance based on a risk acceptance criteria/criterion. The quantitative criterion of the risk acceptance criteria/criterion is, for example, a probability of occurrence of harm falling below a threshold. The risk acceptance criteria/criterion may be set based on a positive risk balance, which is a main measure of a risk level that is ethically acceptable. The risk acceptance criteria/criterion may be set by, for example, a combination of a statistical approach such as traffic accident statistics and an approach based on a scenario.

2 2 The risk acceptance criteria/criterion may be determined based on a comparison between the driving systemunder a reasonably foreseeable scenario of the ODD and an experienced and attentive driver. For example, the risk acceptance criteria/criterion may be set based on the fact that the capability of the driving systemis equal to or higher than the driving ability of an experienced and attentive driver.

2 2 The acceptable risk level or the risk threshold may be designated in advance by at least one of, for example, a government agency, a standardization agency, and an approval agency of the driving system. The acceptable risk level or the risk threshold may be set in advance by, for example, a developer of the driving system.

2 26 2 26 The driving systemor the risk checking unitmay be designed to change the risk threshold according to the ODD. The driving systemor the risk checking unitmay be designed to change the risk threshold according to the use case.

28 58 28 The situation checking unitmay refer to a rule set stored in the rule DBto determine the acceptable risk level. The situation checking unitmay improve estimation accuracy by incorporating the rules of the rule set into an algorithm for calculating the risk value.

8 FIG. 53 53 53 11 15 27 28 1 2 a b illustrates an example of a processing method for deriving and defining an assumption. The process may be implemented, for example, by executing a computer program stored in the memoryby the processorof the risk checker. A series of processes in steps Sto Sis executed for each predetermined regular time interval or based on a predetermined trigger. The predetermined trigger may be provided as, for example, the latest situation data being provided from the situation extraction unitto the situation checking unit. This process may be used not during actual traveling of the vehiclebut in conduction of V&V on the driving systemby simulation or the like.

11 1 59 11 12 In the first step S, a scenario currently being encountered by the vehicleis specified. The specifying of the scenario may include selecting a scenario from, for example, a catalog of scenarios stored in the scenario DB. One scenario may be selected. Multiple scenarios may be selected. A more complex situation may be represented by combining the multiple scenarios. After the process in S, the process proceeds to S.

12 15 12 12 13 Sto Sare iteration processes for each scenario. In S, a relevant scene and a road user as dynamic elements are specified and highly described. After the process in S, the process proceeds to S.

14 15 14 11 1 11 14 15 Sand Sare iteration processes for each kinematic property. In S, whether the kinematic properties are relevant to the safety is evaluated based on the scenario specified in S. This evaluation is conducted by checking whether a certain property is a motion of other road users and may cause a motion for the vehicle. When the kinematic property is not relevant to the safety, the kinematic property is excluded from application to the scenario specified in S. After the process in S, the process proceeds to S.

15 11 15 12 13 14 In S, an assumption on a reasonably foreseeable behavior of other road users for the scenario specified in Sis created. The assumption can be defined by setting a boundary for the range of behaviors of other road users that are reasonably foreseeable in a specific travel situation. After the process in S, the process is returned to S, S, and Sand repeated, depending on the remaining processing state of other scenarios, road users, and kinematic properties. When the process is completed for all the scenarios, the series of processes is ended.

The assumption may be a function of a time which is changed during a specified scenario. Alternatively, the assumption may not be changed during the specified scenario. A minimum set of the assumption on other road users may be defined.

The minimum set may include one or more properties according to a scenario, among a reasonably foreseeable maximum assumed longitudinal velocity other road users could exhibit, a reasonably foreseeable maximum assumed lateral velocity other road users could exhibit, a reasonably foreseeable maximum assumed longitudinal acceleration other road users preceding the vehicle could exhibit, a reasonably foreseeable maximum assumed lateral acceleration other road users could exhibit, a reasonably foreseeable maximum assumed longitudinal deceleration other road users preceding the vehicle could exhibit, a reasonably foreseeable minimum assumed longitudinal deceleration other road users traveling in an opposite direction to the vehicle or following the vehicle could exhibit, a reasonably foreseeable minimum assumed lateral deceleration other road users could exhibit, a reasonably foreseeable maximum assumed heading angle other road users could exhibit, a reasonably foreseeable maximum assumed heading angle rate change other road users could exhibit, a reasonably foreseeable maximum assumed lateral position fluctuation other road users could exhibit, and a reasonably foreseeable maximum assumed response time other road users could exhibit.

The values of these assumptions may differ depending on the category of the road users. For example, an assumption value may be changed depending on whether the road user is a vulnerable road user (VRU). The assumption value may be adjusted depending on at least one of various road surface conditions and weather-related environmental conditions that are reasonably expected within an operational design domain. The assumption value may also be adjusted according to at least one of a difference in road traffic laws across countries and a difference in traffic customs across regions.

29 28 30 60 1 1 29 30 The response unitderives a proper response based on the checking result of the situation checking unit. The proper response may be provided to the acting unitonly when the situation is determined to be a hazardous situation. The proper response may be a restriction of a control command of the motion actuator. The proper response may be a response to return the vehicleto a safe state. Even when multiple unrelated hazardous situations are checked, the acts to be taken by the vehicleneed to be integrated into one act. Therefore, in this case, the response unitresolves a potential conflict between the proper responses for these situations, and transmits the proper response to the acting unit.

26 26 55 55 26 96 43 96 96 c c The risk checking unitcan output at least one of data indicating a situation, a checking result of the situation, and a derived proper response. The risk checking unitmay sequentially store at least one of the data indicating the situation, the checking result of the situation, and the derived proper response in the storage medium, by using the recording deviceor the like. The risk checking unitmay transmit at least one of the data indicating the situation, the checking result of the situation, and the derived proper response to an external system (for example, the server) using the communication system, and store the data indicating the situation, the result of checking the situation, and the derived proper response in a database (for example, the management DB) of the server.

26 26 The risk checking unitmay execute an output in a prioritized manner to maintain duty of care for other road users. The risk checking unitmay assist an operation in an emergency. The operation in an emergency may be a DDT fallback. The operation in an emergency may be executed when the proper response to a potentially hazardous situation does not sufficiently reduce the risk when the hazardous situation actually occurs.

26 26 1 26 1 26 The risk checking unitmay distinguish between an initiator of a hazardous scenario and a responder of a hazardous scenario. The risk checking unitmay distinguish between an action recommended for the initiator and an action recommended for the responder. That is, when the vehicleis the initiator, the risk checking unitderives a proper response according to the action recommended for the initiator, and when the vehicleis the responder, the risk checking unitderives a proper response according to the action recommended for the responder.

The automated driving system at level 3 or 4 in which authority transfer between the system and a human user (for example, a driver) occurs will be described.

9 FIG. 23 26 23 23 26 26 23 26 23 26 2 26 23 As schematically illustrated in, the mode management unitmanages the state transition of the automation level and conducts authority transfer as necessary. When the risk checking unitis provided separately from the mode management unit, the mode management unitmay manage the automation level with reference to a risk checking result obtained by the risk checking unit. When the risk checking unitis provided separately from the mode management unit, the risk checking unitmay intervene in the management of the automation level of the mode management unit. For example, when the risk checking unitdetects an unacceptable risk during execution of the DDT by the driving system, the risk checking unitmay forcibly change the automation level managed by the mode management unitto a lower level.

The transition state of the automation level generally includes three states. The three states are, for example, completely manual driving Ma corresponding to level 0, driving assistance Mb corresponding to levels 1 and 2, and automated driving Mc corresponding to level 3 or 4.

23 20 30 21 22 23 23 The mode management unitmay change, for example, the computer program itself executed in the processes in the planning unitand the acting unitaccording to the three states. In this aspect, for example, a computer program used in the driving assistance Mb may be prepared separately from a computer program that implements processes in the prediction unitand the driving planning unitused in the automated driving Mc. The mode management unitprohibits the execution of the computer program for the automated driving Mc in the completely manual driving Ma and the driving assistance Mb. The mode management unitperforms management such that a computer program for the driving assistance Mb is executed in the driving assistance Mb.

2 23 In this case, the implementation of the computer program for driving assistance and the processor that executes the computer program may be implemented by hardware independent of the implementation of the computer program used in the automated driving Mc and the processor that executes the computer program. For example, in the driving system, an automated driving ECU and a driving assistance ECU may be provided, and may be selectively used according to the transition state of the automation level. The functionality of the mode management unitmay be implemented in the automated driving ECU, or may be implemented in a mode management ECU that is further independent of the automated driving ECU and the driving assistance ECU.

Examples of the computer program for driving assistance include a program of an adaptive cruise control (ACC) application that implements a functionality of following another vehicle while maintaining a lane, a program of an advanced emergency braking (AEB) application that implements a functionality of avoiding a collision with another road user by braking, a program of an advanced emergency steering (AES) application that implements a functionality of avoiding a collision with another road user by steering, and the like.

23 20 30 23 22 31 60 22 31 The mode management unitmay constrain or limit the functionalities of, for example, the planning unitand the acting unitaccording to the three states. In the driving assistance of this aspect, the mode management unitmay impose a constraint such that the driving planning unitand the motion control unitdo not autonomously control both the driving and braking of the motion actuatorand the steering. That is, one of driving, braking, and steering is autonomously controlled by the driving planning unitand the motion control unit, and the other is controlled by a driving operation by the user.

2 2 1 2 3 4 1 2 3 4 2 2 10 FIG. Here, an example of a more detailed state transition in the driving systemthat implements automated driving at level 3 will be described with reference to. Examples of the transition state of the driving systeminclude four states, an off state M, a standby/ready state M, a normal state M, and a requesting fallback state M. In the off state Mand the standby/ready state M, the user is an execution subject of the DDT, and the user has authority regarding driving. In the normal state Mand the requesting fallback state M, the driving systemis the execution subject of the DDT, and the driving systemhas authority regarding driving.

1 2 2 1 2 1 The off state Mis a state in which the automated driving functionality at level 3 of the driving systemis off, and is a state in which any functionality at levels 0 to 2 is exhibited. When the automated driving functionality is turned on in the off state, the driving systemtransitions from the off state Mto the standby/ready state M. The ON operation herein may be an ON operation of an automated driving switch provided in the vehicle, which is performed by the user. The ON operation herein may be one of entering the range of the ODD in which the automated driving at level 3 can be executed and approaching the range of the ODD.

2 2 2 1 2 2 2 2 3 The standby/ready state Mis a state in which any one of the functionalities of levels 0 to 2 is exhibited, and is a state in which standby/ready for shifting to a state in which the automated driving functionality of level 3 is exhibited is started. When the automated driving functionality is turned off in the standby/ready state, the driving systemreturns from the standby/ready state Mto the off state Magain. When the condition is satisfied in the standby/ready state M, takeover of the driving from the user to the driving systemis executed, and the authority is transferred. The driving systemtransitions from the standby/ready state Mto the normal state M.

3 3 2 2 3 2 3 2 2 3 1 The normal state Mis a state in which the functionality of level 3 is exhibited. In the normal state M, for example, when the user requests (temporary) authority transfer, takeover of driving from the driving systemto the user is executed, and the driving systemtransitions from the normal state Mto the standby/ready state M. When the automated driving functionality is turned off in the normal state M, the takeover of the driving from the driving systemto the user is executed, and the driving systemtransitions from the normal state Mto the off state together with the authority transfer. The OFF operation herein may be an OFF operation of an automated driving switch provided in the vehicle, which is performed by the user.

3 2 3 4 4 2 2 4 1 When the triggering condition is detected in the normal state M, the driving systemtransitions from the normal state Mto the requesting fallback state M. In the requesting fallback state M, when the driving systemissues a DDT fallback execution request to the user and the user takes over the driving, the driving systemtransitions from the requesting fallback state Mto the off state Mwith authority transfer.

4 2 2 4 1 When the automated driving functionality is turned off in the requesting fallback state M, the driving is taken over from the driving systemto the user, the authority is transferred, and the driving systemtransitions from the requesting fallback state Mto the off state M.

1 2 There are mainly two causes of establishment of the triggering condition for disengaging the automated driving functionality, that is, causes of transition from the normal state to the requesting fallback state. One of the causes is a failure in the vehicleor the driving system. The other one thereof is an ODD exit.

11 14 FIGS.to Examples of authority transfer with DDT fallback at level 3 and level 4 will be described with reference to.

11 FIG. 2 2 2 70 2 2 1 b As illustrated in, a failure in the driving systemthat makes it difficult to continue automated driving during automated driving at level 3, that is, during execution of DDT by the driving systemoccurs. Then, the driving systemnotifies the user of the fallback request through the information presentation device. The user is required to respond to the fallback request for the driving systemat level 3. The user takes over driving from the driving system(conducts authority transfer), and starts DDT fallback by manual operation. For example, the user manually evacuates the vehicleto a road shoulder or a side strip of the road.

12 FIG. 2 2 70 2 b As illustrated in, during the automated driving at level 3, that is, during the execution of the DDT by the driving system, an approach outside the ODD range occurs. Then, the driving systemnotifies the user of the fallback request through the information presentation device. The user is required to respond to the fallback request. Before exiting the ODD, the user takes over driving from the driving system(performs authority transfer), and starts DDT fallback by manual operation.

13 FIG. 2 2 2 70 2 2 2 b As illustrated in, a failure in the driving systemthat makes it difficult to continue automated driving during automated driving at level 4, that is, during execution of DDT by the driving systemoccurs. Then, the driving systemstarts the DDT fallback and notifies the user of the fallback request through the information presentation device. When the user takes over the driving from the driving systemwithin a preset time in response to the fallback request (when authority transfer is conducted), the user then executes the DDT fallback by a manual operation. When the user does not take over the driving from the driving systemwithin a preset time in response to the fallback request (when the authority transfer is not conducted), the driving systemcontinuously performs the DDT fallback and shifts to the MRC.

14 FIG. 2 2 70 2 2 b As illustrated in, during the automated driving at level 4, that is, during the execution of the DDT by the driving system, an approach outside the ODD range occurs. Then, the driving systemstarts the DDT fallback and notifies the user of the fallback request through the information presentation device. In response to the fallback request, when the user takes over the driving from the driving system (when the authority transfer is conducted) before the timing at which there is no time to exit the ODD, the user manually performs the DDT fallback. In response to the fallback request, when the user does not take over the driving from the driving system(when the authority transfer is not conducted) before the timing at which there is no time to exit the ODD, the driving systemcontinuously performs the DDT fallback and shifts to the MRC. The shift to the MRC is preferably completed before the ODD exit.

2 In V&V of the driving system, there are verification for satisfying a safety request of each technical level and verification for safe integration of elements. The verification for satisfying the safety request of each technical level may include evaluation of at least one of the following functionalities and capabilities, preferably all of the functionalities and capabilities. The verification may include evaluation of other functionalities and capabilities.

10 40 43 For example, an evaluation target for the sensing unitis a functionality of the sensoror an external data source (for example, a map data source), a functionality of a sensor algorithm that models an environment, and reliability of the infrastructure and the communication system.

20 20 For example, the evaluation target related to the planning unitis the capability of the determination algorithm. The capability of the determination algorithm is, for example, a capability of safely handling a potential lack of functionality, and a capability of making a proper determination according to an environment model, a driving policy, a current destination, and the like. For example, the evaluation targets related to the planning unitinclude one of the absence of unreasonable risks due to hazardous behaviors of the intended functionality, the functionality of the system to safely handle ODD use cases, a robust performance of execution of the entire ODD driving policy, suitability for DDT fallback, and suitability for minimal risk conditions.

For example, the evaluation target may include robust performance of a system or a functionality. The robust performance of the system or the functionality is a robust performance of a system under adverse environmental conditions, suitability of a system operation under known triggering conditions, sensitivity of an intended functionality, an ability to monitor various scenarios, or the like.

2 2 96 1 2 10 FIG. In order to manage an unacceptable risk and improve the driving system, it is preferable that there is a strong management system MS for the driving systemafter shipment to the market. For example, a management system MS illustrated inchanges the software for a vehicle population by over-the-air (OTA). The management system MS includes the vehicle population including multiple vehicles TTA and TTB, and the server. The vehicles TTA and TTB managed by the management system MS may have the same configuration as the vehicleincluding the driving systemdescribed above, and some of the hardware specifications such as the vehicle type and the vehicle model may be different from each other as long as there is compatibility in the software specifications at least.

In the test in the change process, an index related to safety is used. The result of the validation using the index related to safety may not be used only to determine whether the test software is applicable. For example, the result may be used to set the ODD itself or to set parameter restrictions by the ODD.

15 FIG. 96 96 2 2 As shown in, the serveris installed in an external environment for the vehicles TTA and TTB. The serveris communicably connected to the vehicles TTA and TTB by, for example, V2X communication via a communication infrastructure. The management system MS executes a software test for improvement in safety. That is, the management system MS may be an improvement system that improves the performance or safety of the driving systemsA andB.

2 FIG. 96 96 96 96 96 96 96 a b a b a b As illustrated in, the servermay be mainly implemented by a dedicated computer including at least one memoryand at least one processor. The memorymay be, for example, at least one type of non-transitory tangible storage medium, such as a semiconductor memory, a magnetic medium, and an optical medium, which non-temporarily stores a computer program, data, and the like that can be read by the processor. For example, a rewritable volatile storage medium such as a random access memory (RAM) may be provided as the memory. The processorincludes, for example, at least one type of a central processing unit (CPU), a graphics processing unit (GPU), and a reduced instruction set computer (RISC)-CPU as a core.

96 96 a b The dedicated computer may be a system on a chip (SoC) in which the memory, the processor, and an interface are integrally implemented on one chip, or at least one SoC may be provided as an element of the dedicated computer.

96 96 96 96 96 c c c c The servermay further include a management database (hereinafter, the management DB). The management DBmay store information for specifying the vehicles TTA and TTB to be managed by the management system MS. The management DBmay store information on specifications of the vehicles TTA and TTB. The management DBmay store various types of information collected from the vehicles TTA and TTB. The various types of information may include information for executing an evaluation in a test for improving safety to be described below.

96 96 97 97 97 97 96 10 FIG. a b c d b The serverimplements a safety improvement functionality for improving the safety. As illustrated in, the servermay include a test management unit, a software distribution unit, a data collection unit, and a test software evaluation unitas processing units for implementing the safety improvement functionality by the processorexecuting a computer program.

97 a The test management unitmanages a test executed for safety improvement. The test may be a test for determining the best software among multiple pieces of test software. When two types of test software are prepared and the two types of test software are compared with each other, this test is referred to as an AB test. The multiple pieces of test software may be three or more types of software that have similar functionalities and can be compared with one another.

96 97 a The test software is provided by, for example, a human administrator (hereinafter, a test administrator) of the server. In this case, the test is conducted for the purpose of selecting the optimum software from the software as a release candidate. On the other hand, when the test is conducted to optimize the parameters used for the computer program, the test software may be software automatically generated by the test management unitin a form of changing the parameters of the existing program.

97 96 97 97 a a a The test management unitmanages the scale of the test and the period of the test. The scale and the period may be set to values input to the serverby the test administrator, or may be automatically set by the test management unit. The test management unitdetermines a test target vehicle suitable for conducting the test from the vehicles TTA and TTB belonging to the vehicle population based on the scale and the period. When the number of vehicles incorporated in the management system MS is smaller than the optimum scale for conducting the test, all the vehicles TTA and TTB belonging to the vehicle population may be designated as the test target vehicles.

97 97 97 96 a a a c The test management unitallocates one of the multiple pieces of test software to the test target vehicle among the vehicles TTA and TTB belonging to the vehicle population. For example, in a test for comparing test software A and test software B, half of the test target vehicles test the test software A, and the remaining half of the vehicles test the test software B. The test management unitmay randomly allocate the test software to the vehicles TTA and TTB using a pseudo-random number. The test management unitmay refer to vehicle information stored in the management DBand execute the allocation of the test software so as to reduce the bias of the condition between the groups for testing the test software.

97 96 97 a a The test management unitsets at least one evaluation index for evaluating the test software. The evaluation index may be set, based on the functionalities and properties of the test software or the intention of the test, to an index determined by the input operation of the test administrator to the server. Alternatively, the evaluation index may be set by the test management unitbased on the functionalities and properties of the test software.

26 1 The evaluation index includes an index related to safety. The index related to safety may be a value obtained by indexing the risk checked by the risk checking unit. The value obtained by indexing the risk includes, for example, the risk value, the safety envelope, the safety distance, and the violation metric (violation degree). The violation metric (violation degree) is a value obtained by evaluating the degree of violation of the vehicle(test target vehicle) with respect to the rule stored in the rule set.

The index related to safety may be a safety metric of the automated driving system. The safety metric may mean a scale that can be quantified based on a collision rate. Examples of the safety metric include the severity and frequency of collision, the severity and frequency of citable offences, the distances in the longitudinal direction and the lateral direction, the accelerations in the longitudinal direction and the lateral direction, the jerk in the longitudinal direction and the lateral direction, the OEDR response time, and the like. The severity of the collision may be evaluated in six stages using, for example, abbreviated injury scale (AIS). The distances in the longitudinal direction and the lateral direction are indexes related to maintenance of a safety envelope or a safety distance.

70 2 2 96 91 a The index related to safety may be a human evaluation related to safety. The human herein may be a user of the test target vehicle. In this case, the evaluation related to safety is an evaluation input by the user through the operation input deviceof the test target vehicle. The human herein may be another VRU such as a pedestrian who encounters the test target vehicle. In this case, the evaluation related to safety may be an evaluation transmitted to the driving systemsA andB or the serverby another VRU who feels that the test target vehicle is hazardous using the mobile terminalor the like owned by the VRU.

97 97 2 2 a a The test management unitmay manage a method for acquiring consent from a human side for applying test software in each test target vehicle. The consent will be described in detail below. The test management unitmay store the consent acquisition method in each of the driving systemsA andB of the test target vehicles.

97 2 97 2 2 b a The software distribution unitdistributes the test software to the driving systemof the test target vehicle based on the allocation of the test software set by the test management unit. Information on a plan of the test may be distributed together with the distribution of the test software. The information on the plan of the test includes information on a period and an evaluation index of the test, and may further include information such as a scale of the test. Accordingly, the test software distributed by each of the driving systemsA andB is temporarily applied, and the test is started.

97 2 2 97 96 c c c. The data collection unitcollects information on an operation of the test software or an operation result thereof as probe data from each of the driving systemsA andB to which the test software is temporarily applied. The information to be collected includes at least one of an index itself related to safety and information for deriving the index related to safety. The data collection unitaccumulates the data sequentially collected from the vehicles TTA and TTB in the management DB

97 97 97 97 d d a d The test software evaluation unitcompares multiple pieces of test software. The test software evaluation unitcompares an evaluation index set by the test management unitbetween pieces of test software. When there are multiple evaluation indexes, the test software evaluation unitcompares each of evaluation indexes between pieces of test software.

97 96 97 d c d Specifically, the test software evaluation unitstatistically processes the data from the vehicles TTA and TTB accumulated in the management DB. For example, when the evaluation index can be expressed by a ratio such as an occurrence rate, the test software evaluation unitcalculates an occurrence rate per vehicle and/or per unit time from the occurrence frequency in the data from the vehicles TTA and TTB.

97 d In the evaluation using the safety metric as the evaluation index, it is preferable to consider severity potential. In the case of evaluating the severity and frequency of a collision for the test software, even if the test software is temporarily applied to multiple vehicles TTA and TTB, it is difficult to statistically evaluate the severity and frequency of a collision when there are few cases in which a collision actually occurs. Therefore, the test software evaluation unitmay estimate a rate of serious collisions having a high severity from the occurrence rate of proper precursor events such as a near collision and a collision with a low severity.

The distribution and sensitivity of the collision type may be different between an automated driving system and a human driver. Therefore, in the statistical evaluation of the safety metric for the test software, the evaluation may be performed after the vehicles to which the test software is applied are classified into an automated driving vehicle of level 3 or higher and a vehicle driven by a human user.

97 97 97 97 d a d b The test software evaluation unitmay have a functionality of selecting one piece of optimum test software from multiple pieces of test software. The optimum test software may be test software with the highest safety. The test management unitmay determine the test software selected by the test software evaluation unitas formal software to be formally adopted. Based on this determination, the software distribution unitmay distribute the formal software to the vehicles TTA and TTB belonging to the vehicle population. The distribution destination vehicle may include a vehicle that belongs to the vehicle population and is not the test target vehicle.

97 97 97 d d a When the multiple pieces of test software are an improvement plan of a currently applied software that is formally applied to each of the vehicles TTA and TTB, the test software evaluation unitmay execute a relative evaluation of the selected test software with respect to the currently applied software. The test software evaluation unitmay determine that the selected test software does not have higher performance than the currently applied software. In this case, the test management unitmay exclude all of the multiple pieces of test software from formal software to be formally adopted.

97 97 97 97 d a a b On the other hand, the test software evaluation unitmay not have a functionality of selecting the optimum test software. In this case, the test management unitpresents a comparison result of an evaluation index to the test administrator through the HMI, and receives an input operation of the selection result of the formal software to be formally adopted by the test administrator. In accordance with this input operation, the test management unitdetermines the formal software. Based on this determination, the software distribution unitmay distribute the formal software to the vehicles TTA and TTB belonging to the vehicle population.

2 2 2 2 2 2 2 2 81 82 83 51 b Driving systemsA andB are implemented in each of the vehicles TTA and TTB belonging to the vehicle population. The driving systemsA andB implement a safety-improving functionality in addition to the perception functionality, the planning functionality, and the acting functionality described above. The safety-improving functionality is a functionality of improving the safety of the driving systemsA andB. The driving systemsA andB may each include a software application unit, an operation measurement unit, and a result transmission unitas processing units for implementing a safety-improving functionality by the processorexecuting a computer program.

81 2 2 81 2 2 The software application unitmanages application of software implemented in the driving systemsA andB. The application of the software herein may include download and installation of the software, that is, standby/ready for making the software usable. The management of the application of the software may include defense against external attacks that exploit security vulnerabilities and management of software updates. When the formal software is distributed, the software application unitpermanently applies the formal software to the driving systemsA andB. The permanent application herein means application until the next update of the formal software.

81 96 2 2 The management of the application of software may include management of the application of test software. When the vehicles TTA and TTB are selected as the test target vehicles, the software application unittemporarily applies the test software distributed from the serverto the driving systemsA andB, and starts verification of the test software.

81 96 The management of the application of the test software may include the management of consent of a human user to the application of the test software. The consent can be rephrased as acceptance, permission, contract, or the like. The consent to applying the test software may include consent to actually testing the test software (hereinafter, test consent). The software application unitrequests the consent of the user based on an acquisition method of a test consent designated in advance by the serveror an acquisition method of the test consent set by itself.

81 55 81 c When the test consent of the user is acquired, the software application unitrecords the acquisition information of the test consent in the storage mediumand permits the execution of the test software. The software application unitprohibits execution of the test software when the test consent of the user has not been acquired.

81 2 2 The software application unitmay stop or end the application of the test software to the driving systemsA andB after starting the test. For example, when the test period is completed, the application of the test software is ended. For example, even during the test period, when the formal software to be formally adopted is determined, the application of the test software is ended. For example, when the test itself is stopped due to a serious problem of the test software, the application of the test software is stopped.

82 96 The operation measurement unitmeasures an operation result of the temporarily applied test software. The measurement target is at least one of an evaluation index designated from the serverside and data necessary for calculation of the evaluation index. As described above, the evaluation index includes an index related to safety. The measurement of the operation result may be constantly conducted according to the properties of the evaluation index, or may be conducted only in a predetermined case based on a preset trigger.

83 96 2 2 81 82 2 2 2 2 The result transmission unittransmits results of a test to the server. The results of the test may be sequentially transmitted in the progress of the test, or may be collectively transmitted at the end of the test period. The results of the test include at least one of test software application information to the driving systemsA andB by the software application unitand measurement information measured by the operation measurement unit. The test software application information may include a date and time and a period when the test software is applied to the driving systemsA andB, a method of applying the test software to the driving systemsA andB, and the like. The measurement information is information on the measurement target described above.

82 83 55 96 55 c c One of the operation measurement unitand the result transmission unitmay record the results of the test in the storage medium. A transmission log to the servermay be recorded in the storage mediumtogether with the results of the test.

82 96 82 96 96 55 c As described above, the operation measurement unitselects an index or data to be measured and an acquisition source from which the index or data is acquired, that is, a measurement target, based on the information of the evaluation index received from the server. Then, the operation measurement unitgenerates the measured index or data in the form of measurement information according to a preset format. This format may be designated from the serverin the information of the evaluation index. The generated measurement information can be transmitted to the serveras probe data and recorded in the storage mediumas described above.

16 17 FIGS.and 96 96 96 51 50 53 96 b a b a Here, an example of a test conducting method for improving safety will be described with reference to a flowchart in. The series of processes may be implemented, for example, by the processorof the serverexecuting a computer program stored in the memoryand the processorof the processing systemexecuting a computer program stored in the memory. A trigger for starting the process and a trigger for advancing each step may be given by an input operation of the test administrator to a user interface in the server.

16 FIG. 101 96 101 102 The flowchart inillustrates a process from planning of a test to an evaluation of test software. In the first S, a test is planned in the server. The test planning includes at least one, preferably all, of the determination of the scale of the test and the test period described above, the determination of the test target vehicle, the allocation of the test software, an evaluation method of the test software, and a method for acquiring the test consent. After the process in S, the process proceeds to S.

102 96 102 103 In S, the servertransmits the test software to each test target vehicle based on the allocation of the test software in the test target vehicle. In response, the driving system plans to perform the test. After the process in S, the process proceeds to S.

103 2 2 96 2 2 2 2 70 104 107 a In S, the driving systemsA andB attempt to acquire the consent of the user based on a method of acquiring the test consent designated from the serverand a method of acquiring the test consent preset by the driving systemsA andB. That is, consent is requested. Next, the driving systemsA andB sense the operation of the user on the operation input deviceor the like, and determine whether the test consent has been acquired. In the case of Yes, the process proceeds to S. In the case of No, the process proceeds to S.

104 2 2 96 104 105 In S, in each of the driving systemsA andB, the test software is executed, and the operation of the test software is measured. That is, the evaluation index or data necessary for calculation of the evaluation index designated from the serveris measured. After the process in S, the process proceeds to S.

105 2 2 104 96 96 105 106 In S, each of the driving systemsA andB transmits the measurement information measured in Sto the server. In this way, the servercollects the measurement information from each test target vehicle in a form that enables a statistical process. After the process in S, the process proceeds to S.

106 96 106 In S, the test software is evaluated in the server. That is, the evaluation index is compared for each test software. The series of processes is finished after S.

107 2 2 107 2 2 2 2 2 2 2 2 On the other hand, in Swhen the test consent cannot be acquired, the driving systemsA andB prohibit the execution of the test software. The series of processes is finished after S. When the test consent is not obtained, the driving systemsA andB may attempt to acquire the consent again. In this case, the driving systemsA andB may change the method of acquiring the test consent. For example, when the consent operation is an operation unsuitable for the user, the possibility of obtaining the consent of the user can be increased by changing the acquisition method. On the other hand, the driving systemsA andB may maintain the same method as the test consent acquisition method. When it is determined that the user does not consent intentionally (that is, the consent is rejected), the driving systemsA andB may stop acquiring the consent again.

17 FIG. 16 FIG. 111 101 107 111 112 The flowchart inillustrates a process when the formal software is determined based on the evaluation result of the test software. The process in Scorresponds to the processes in Sto Sin. After the process in S, the process proceeds to S.

112 96 112 113 In S, on the serverside, the formal software to be formally adopted is determined based on the evaluation result of the test. After the process in S, the process proceeds to S.

113 96 113 114 In S, formal software is transmitted from the serverto each of the vehicles TTA and TTB. After the process in S, the process proceeds to S.

114 114 In S, formal software is applied to each of the vehicles TTA and TTB. The series of processes is ended after S. The test and the evaluation of the test software may not be used to determine whether the formal software can be adopted. For example, the test and the evaluation of the test software may be conducted for academic research on the safety of automated driving.

96 2 2 A method for acquiring test consent designated by any of the serverand the driving systemsA andB will be described.

9 FIG. The acquisition timing of the test consent is a timing corresponding to the functionality and property of the test software, and is set to be in conjunction with the timing of the state transition. It is assumed that the test is a test of a functionality related to execution of the DDT by the user, for example, a test of a functionality related to driving assistance corresponding to levels 1 and 2 illustrated in. In this case, the timing at which the transition state transitions from the completely manual driving Ma corresponding to level 0 to the driving assistance Mb or the timing at which the transition state transitions from the automated driving Mc corresponding to level 3 or 4 to the driving assistance Mb is set as the acquisition timing of the test consent.

Examples of the test of the functionality related to the execution of the DDT by the user include a test of an ACC application, a test of an AEB application, and a test of an AES application. These applications assist the execution of the DTT by the user in a state in which the user is responsible for the execution of the DDT.

2 9 FIG. It is assumed that the test is a test of a functionality related to the DDT by the driving system, for example, a test of a functionality related to automated driving corresponding to level 3 or 4 illustrated in. In this case, the timing at which the transition state transitions from the completely manual driving Ma to the automated driving Mc or the timing at which the transition state transitions from the driving assistance Mb to the automated driving Mc is set as the acquisition timing of the test consent.

2 2 21 22 26 2 2 The test of the functionality related to the DDT by the driving systemsA andB herein is, for example, a test of a prediction functionality of an action of another road user or the like used by the prediction unit, a test of various planning functionalities used by the driving planning unit, or a test of a risk checking functionality used by the risk checking unit. The test of the planning functionality is, for example, a test related to a threshold for whether to execute the lane change in the normal state, or a test of the planning functionality until the transition to the minimal risk condition in the execution of the DDT fallback by the driving systemsA andB.

10 FIG. 1 3 2 2 2 1 2 Among the above, the timing of transition from the automated driving Mc corresponding to level 3 or 4 to the driving assistance Mb, the timing of transition of the transition state from the completely manual driving Ma to the automated driving Mc, and the timing of transition from the driving assistance Mb to the automated driving Mc can be said to be in conjunction with the timing of authority transfer. In the state transition illustrated in, when the state transitions from the off state Mto the normal state Mvia the standby/ready state M, that is, when the standby/ready state Mhas a short time so that the user cannot sufficiently perceive the presence of the standby/ready state M, even if there is a request for consent at the timing from the off state Mto the standby/ready state M, it can be said that the timing is in conjunction with the timing of the authority transfer.

70 2 2 70 70 81 a b a The acquisition timing in conjunction with the timing of the state transition herein may be the only timing for consent. On the other hand, the acquisition timing in conjunction with the timing of the state transition may be the final timing for consent. For example, the user may indicate an intention of consent in advance by operating a dedicated consent switch or the like provided in the operation input devicefor a test of a functionality related to the DDT by the driving systemsA andB. The dedicated consent switch may be a mechanical switch provided on a spoke or the like of the steering wheel, or may be an image switch displayed on a touch-operable screen of the information presentation deviceor the like that also functions as the operation input device. When the prior consent is not obtained, the software application unitmay request the consent of the user at the acquisition timing in conjunction with the timing of the state transition, which is the final timing.

70 a The consent at the acquisition timing in conjunction with the timing of the state transition may be acquired by causing the user to operate a dedicated consent switch or the like provided in the operation input device, similarly to the prior consent.

2 2 70 60 a The consent at the acquisition timing in conjunction with the timing of the state transition may be acquired by an operation common to the operation related to the state transition. For example, when consent is requested in conjunction with the timing of authority transfer from the driving systemsA andB to the user, contact with the operation input devicefor controlling the motion actuatorwhen the user starts the DDT may be detected, and the contact may be regarded as the acquisition of consent.

70 60 81 70 60 70 a a b The contact with the operation input devicefor controlling the motion actuatormay be, for example, gripping a steering wheel by a user or stepping on a brake pedal or an accelerator pedal by a user. In such a method for acquiring the test consent, it is preferable that the software application unitpresents, together with the request to the user, that the contact with the operation input devicefor controlling the motion actuatoris regarded as the acquisition of the test consent through the information presentation deviceor the like.

2 2 2 2 2 2 2 2 When the first test consent is acquired in conjunction with the timing of authority transfer from the driving systemsA andB to the user, that is, when the same test software is continuously tested, the same consent acquisition as the first time may be conducted at the next and subsequent timings of the authority transfer from the driving systemsA andB to the user. When the first test consent is acquired in conjunction with the timing of authority transfer from the user to the driving systemsA andB, that is, when the same test software is continuously tested, the same consent as the first consent may be acquired at the next and subsequent timings of the authority transfer from the user to the driving systemsA andB.

81 70 81 81 b On the other hand, when the test consent is acquired in conjunction with the authority transfer timing, that is, when the same test software is continuously tested, the next and subsequent authority transfer timings are considered. At this time, the software application unitmay determine that the validity of the consent is continued, and notify, through the information presentation device, the user of the fact that the test consent has already been made. Alternatively, at this time, the software application unitmay determine that the validity of the consent is continued, and may not acquire the consent and give the notification of the consent. As described above, the software application unitregulates the consent acquisition a plurality of times and regulates the notification a plurality of times, so that the user can be prevented from feeling inconvenience.

2 2 2 2 2 2 70 2 2 18 FIG. b An example of the acquisition of test consent when authority is transferred from the driving systemsA andB to the user in response to an ODD exit will be described. As illustrated in, during the automated driving at level 3, that is, during the execution of the DDT by the driving systemsA andB, an approach outside the ODD range occurs. Then, the driving systemsA andB notify the user of the fallback request through the information presentation device. The user is required to respond to the fallback request. Before exiting the ODD, the user takes over driving from the driving systemsA andB (conducts authority transfer), and starts the DDT fallback by the manual operation.

70 70 60 b a The notification of the test consent request to the user and the fallback request may be made through the information presentation device. The test consent may be regarded as being acquired by contact with the operation input devicefor controlling the motion actuatorwhen the user starts the DDT fallback.

19 FIG. 2 2 2 2 2 2 70 2 2 2 2 2 2 b As illustrated in, during automated driving at level 4, that is, during the execution of the DDT by the driving systemsA andB, a failure in the driving systemsA andB that makes it difficult to continue the automated driving occurs. Then, the driving systemsA andB start the DDT fallback and notify the user of the fallback request through the information presentation device. When the user takes over the driving from the driving systemsA andB within a preset time in response to the fallback request (when authority transfer is conducted), the user then executes the DDT fallback by a manual operation. When the user does not take over the driving from the driving systemsA andB within a preset time in response to the fallback request (when the authority transfer is not conducted), the driving systemsA andB continuously execute the DDT fallback and transition to the MRC.

70 70 60 b a The notification of the test consent request to the user and the fallback request may be made through the information presentation device. The test consent may be regarded as being acquired by contact with the operation input devicefor controlling the motion actuatorwhen the user starts the DDT fallback in response to the fallback request.

18 19 FIGS.and In the method for acquiring test consent as illustrated in, test software can be applied to any functionality used after authority transfer to a user, and a test can be executed. For example, test software can be applied to an assistance functionality that assists execution of the DDT fallback in the manual operation by a user, and a test can be conducted.

20 21 FIGS.and 20 21 FIGS.and 20 FIG. 51 50 53 26 30 b a are flowcharts illustrating an example of a method for acquiring test consent. A series of processes inmay be implemented by the processorof the processing systemexecuting a computer program stored in the memory. The flowchart inillustrates a process when the risk checking unitdoes not intervene in the acting unitor the like before the DDT fallback is executed.

201 20 22 23 20 FIG. In the first Sin, the planning unit(particularly, the driving planning unitand the mode management unit) executes a system operation in the normal state.

201 2 2 10 11 13 202 202 203 After S, when the driving systemsA andB are in a state in which a failure or exit from the ODD has occurred or is likely to occur, the sensing unit(particularly, the environment perception unitand the internal perception unit) senses the failure or exit (S). After the process in S, the process proceeds to S.

203 23 23 13 204 206 In S, the mode management unitissues a fallback request and a test consent request to the user. The mode management unitdetermines whether there is a user response perceived by the internal perception unit. When the user is responding, the process proceeds to S. When the user does not respond, the process proceeds to S.

204 81 70 60 204 205 a In S, it is considered that the software application unitcan acquire the consent of the test by the response of the user, particularly, the contact with the operation input devicefor controlling the motion actuator. After the process in S, the process proceeds to S.

205 205 In S, a DDT (for example, a DDT fallback) is executed by a manual operation of the user. The series of processes is ended after S.

206 2 2 22 31 206 In Swhen the user does not respond, the DDT fallback is executed by the driving systemsA andB. That is, the driving planning unitand the motion control unitexecute the shift to the MRC through a minimal risk maneuver (MRM). The series of processes is ended after S.

21 FIG. 21 FIG. 26 30 301 20 22 23 301 302 The flowchart inillustrates a process when the risk checking unitintervenes in the acting unitand the like before the DDT fallback is executed. In the first Sin, the planning unit(particularly, the driving planning unitand the mode management unit) executes a system operation in the normal state. After S, the process proceeds to S.

302 26 301 303 302 301 In S, the risk checking unitdetermines whether the risk is acceptable. In the case of Yes, the process returns to S. In the case of No, the process proceeds to S. Note that the process in Smay be executed in parallel with S(by separate processors).

303 26 1 30 303 304 In S, the risk checking unitoutputs a proper response for returning the vehicleto the safe state to the acting unit. After the process in S, the process proceeds to S.

304 26 22 1 301 In S, the risk checking unitor the driving planning unitdetermines whether the vehiclehas returned to a safe situation. In the case of Yes, the process returns to S.

2 2 10 11 13 305 305 306 306 309 203 206 In the case of No, when a failure or the exit from the ODD has occurred or is likely to occur in the driving systemsA andB, the sensing unit(particularly, the environment perception unitand the internal perception unit) senses the failure or exit (S). After the process in S, the process proceeds to S. The processes in Sto Sare the same as the processes in Sto S.

2 2 2 2 2 2 According to the first embodiment described above, the consent of the user to the execution of the test of the test software is requested in conjunction with the timing of the authority transfer. That is, the consent to the test software to be used after the authority transfer between the driving systems,A, andB and the user can be acquired together with the authority transfer. Therefore, the validity of conducting the test can be ensured while reducing the inconvenience felt by the user for acquiring the consent. Therefore, it is possible to provide the driving systems,A andB suitable for performance improvement and the test method thereof.

2 2 2 According to the first embodiment, the test is a test of a functionality related to execution of the DDT by the user. In this case, in requesting the consent of the user, the consent is requested in conjunction with the timing of the authority transfer from the driving systems,A andB to the user. In this way, when the user starts executing the DDT, that is, when there is a possibility that the test software operates, consent is requested, and thus the inconvenience felt by the user can be further reduced.

2 2 2 70 60 1 a In addition, the driving systems,A, andB are configured such that, in requesting the consent of the user, it is considered that the consent has been acquired by contact with the operation input devicefor controlling the motion actuatorthat causes the vehicleto move when the user starts the DDT. In this way, it is less necessary for the user to perform a special operation in order to consent the performance of the test, and therefore, both the acquisition of consent and the authority transfer can be smoothly performed.

2 2 2 2 2 2 2 2 2 70 60 1 a According to the first embodiment, the timing of the authority transfer from the driving systems,A, andB to the user occurs with the exit from the ODD set in advance in the driving systems,A, andB. In this case, the driving systems,A, andB are configured such that, in requesting the consent of the user, it is considered that the consent has been acquired by contact with the operation input devicefor controlling the motion actuatorthat causes the vehicleto move when the user starts the DDT fallback. In this way, it is less necessary for the user to perform a special operation in order to consent the performance of the test, and therefore, both the acquisition of consent and the authority transfer can be smoothly performed.

2 2 2 2 2 2 2 2 2 According to the first embodiment, the test is a test of a functionality related to the DDT by the driving systems,A, andB. In this case, in requesting the consent of the user, the consent is requested in conjunction with the timing of the authority transfer from the user to the driving systems,A, andB. In this way, consent is requested when the driving systems,A andB start execution of the DDT, that is, when there is a possibility that the test software operates, and therefore, the inconvenience felt by the user can be further reduced.

2 2 2 According to the first embodiment, when the consent is not acquired, the operation of the test software is prohibited. Only the test software that ensures validity for performing the test can operate, and therefore, the driving systems,A, andB and the test method thereof suitable for performing performance improvement can be provided.

22 23 FIGS.and As illustrated in, a second embodiment is a modification example of the first embodiment. The second embodiment will be described focusing on a difference from the first embodiment.

81 70 1 In the second embodiment, the software application unitcontrols the HMI deviceof the vehicleto provide a user interface UIF that allows the user to set a test mode in which participation is accepted in advance, before the acquisition timing of the test consent. The test mode includes a test using a shadow-mode, a test using a redundant system, a test of an HMI, and the like.

In the test using the shadow-mode as one aspect of the test, the test software operates in parallel behind the scenes against the software operating according to the currently applied formula. The output result of the test software is not reflected in the behavior of the vehicles TTA and TTB. However, the test software can be verified by executing the same input as the input to the actual software on the test software and evaluating the output of the test software by an index related to safety.

22 FIG. 2 2 2 2 81 2 81 81 50 2 81 2 50 81 2 ac a ac a a ac a ac a ac In, a configuration is adopted in which a driving systemY as a specific example of the systemsA andB applicable to the vehicles TTA and TTB is separated into an actual operation unitand a shadow-mode execution unit. The actual operation unitand the shadow-mode execution unitmay be configured such that, for example, pieces of hardware are separate and independent. For example, a computer including a memory and a processor constituting the shadow-mode execution unitmay be provided separately from a main computer of the processing system. The actual operation unitand the shadow-mode execution unitmay share, for example, hardware resources. In this case, in a computer in which a computer program for the actual operation unitin the processing systemis incorporated, a computer program for the shadow-mode execution unitis incorporated separately from the computer program for the actual operation unitto execute the process.

2 2 2 81 81 96 ac ac a a The actual operation unitis configured to reflect the process on at least one of the HMI, the V2X communication, and the behavior of the actual vehicles TTA and TTB. That is, a series of configurations described in the architecture of the driving systemdescribed above is provided. The actual operation unitmay include, for example, a redundant system. On the other hand, the shadow-mode execution unitis configured to restrict the process from being reflected in the HMI and the behavior of the actual vehicles TTA and TTB. The shadow-mode execution unitcan provide information on the operation of the test software for the probe data collection by the server, which is not directly reflected in the HMI and behavior of the vehicles TTA and TTB.

23 FIG. 26 26 26 26 2 81 81 26 2 81 26 2 81 81 c a b c ac a b c ac b c ac b illustrates an example in which the shadow-mode is used to improve one risk checking unitamong the multiple risk checking units,, andconstituting the redundant system in the actual operation unit. In this example, the shadow-mode execution unitincludes a risk checking unitcorresponding to the risk checking uniton the actual operation unitside. This risk checking unitis different from the risk checking uniton the actual operation unitside. The test software in a test executed for safety improvement is applied to the risk checking unitby the software application unit.

81 26 2 41 26 41 81 b c ac c c c b. The risk checking unitis configured to receive the same information at substantially the same timing as the risk checking uniton the actual operation unitside. The sensing result of the LiDARis input to the risk checking unit, and therefore, the same sensing result of the LiDARis also input to the risk checking unit

82 81 81 82 26 2 82 81 2 b a c ac a ac. The operation measurement unitmeasures at least one of the data indicating the situation, the checking result of the situation (including the checking results of the risk), and the derived proper response, which are output by the risk checking uniton the shadow-mode execution unitside. The operation measurement unitmay further measure at least one of the data indicating the situation, the checking result of the situation, and the derived proper response, which are output by the risk checking uniton the actual operation unitside. In this case, the operation measurement unitmay detect a difference between the output of the shadow-mode execution unitand the output of the actual operation unit

83 26 81 82 96 26 81 82 83 96 c b c b The result transmission unitmay transmit the outputs of the risk checking unitsandobtained by the operation measurement unitto the serveras they are. The outputs of the risk checking unitsandobtained by the operation measurement unitmay be converted according to the format of the evaluation index set in the test. The result transmission unitmay transmit the converted data to the server.

In a test using a redundant system as another aspect of the test, test software is temporarily applied to one of a plurality of systems forming the redundant system. For example, in the case of a driving system including a redundant system of triple redundancy majority decision, even if one system to which the test software is applied outputs an error (a non-optimal solution for safety), the error due to the test software is rejected by the other two systems. Even in the case of a driving system including a dual-redundant system, a test using the redundant system can be performed as long as safety can be ensured by the remaining one system in the functionality of the test software to be tested.

23 FIG. 2 2 2 2 26 26 26 26 26 81 c a b c c illustrates a driving systemZ as a specific example of the systemsA andB applicable to the vehicles TTA and TTB. In this driving systemZ, an example in which a test is performed in order to improve one risk checking unitamong the multiple risk checking units,, andis illustrated. In this example, the test software is temporarily applied to the risk checking unitas a test target by the software application unit.

41 26 26 26 26 82 26 41 26 41 26 41 c c c d c a a b b c c The sensing result of LiDARis input to the risk checking unitas in the case of non-test periods. The checking results of the risk from the risk checking unitbased on the test software are aggregated by the majority decision provided by the majority decision unitas in non-test periods. The output from the risk checking unitis provided to the operation measurement unit. The risk checking unit as a test target may be the risk checking unitto which the sensing result of the camerais input or the risk checking unitto which the sensing result of the millimeter wave radaris input, instead of the risk checking unitto which the sensing result of the LiDARis input.

82 26 c. The operation measurement unitmeasures at least one of the data indicating the situation, the checking result of the situation (including the checking results of the risk), and the derived proper response, which are output by the risk checking unit

83 26 81 82 96 26 81 82 83 96 c b c b The result transmission unitmay transmit the outputs of the risk checking unitsandobtained by the operation measurement unitto the serveras they are. The outputs of the risk checking unitsandobtained by the operation measurement unitmay be converted according to the format of the evaluation index set in the test. The result transmission unitmay transmit the converted data to the server.

1 43 The test using the redundant system may be performed on a vehicle capable of implementing level 4 automated driving by limiting at least one of the time and environment for operating the test software. This limitation makes it possible to minimize the risk caused by the operation of the test software. For example, execution time of the test may be limited only to daytime when the detection performance of the camera is high. For example, the execution environment of the test may be limited only to fine weather in which the detection performance of the camera is high. For example, the execution environment of the test may be limited to a case where assistance of an external operator capable of remotely driving the vehiclecan be obtained via the communication system.

2 2 2 2 The test using the redundant system may be conducted without limiting the time and the environment in a system having a triple-redundant system. The system having a triple-redundant system can be adopted, for example, in the driving systemsA andB of vehicles capable of implementing automated driving at level 3 and the driving systemsA andB of vehicles used for mobility as a service (MaaS) among vehicles capable of implementing automated driving at level 4.

70 b In the test of the HMI as another aspect of the test, for example, the content actually presented to the information presentation deviceis changed. It is necessary to evaluate the interaction between the actual interface and the user, and therefore, the test of the HMI is not suitable for the test using the shadow-mode and the test using the redundant system. Therefore, the test of the HMI is handled as a mode different from the test using the shadow-mode and the test using the redundant system.

1 70 70 81 2 97 96 b a a The test mode may be set by the user, for example, during purchase of the vehicleor during initial activation. The setting of the test mode may be set by the user at any timing through a screen of the information presentation devicealso serving as the operation input devicethat can be touch-operated, such as a CID. The setting information of the test mode is transmitted from the software application unitof the driving systemto the test management unitof the server.

24 FIG. 81 1 2 4 70 70 71 1 1 2 4 1 1 2 4 b a shows a display example of a setting screen in the user interface UIF. In this example, in order to set the test mode, the software application unitmay display a test participation switch SWand individual switches SWto SWof each mode on the information presentation devicethat also serves as the operation input devicethrough the HMI output unit. The test participation switch SWis a switch for indicating whether the user intends to participate in the test itself when the management system MS plans the test. When the test participation switch SWis set to the off state, that is, when the user indicates an intention not to participate in the test, the individual switches SWto SWof each aspect may be turned off in conjunction with the test participation switch SW. When the test participation switch SWis set to the on state, that is, when the user indicates an intention to participate in the test, the individual switches SWto SWof each aspect may be switchable by the user.

2 4 2 4 1 97 96 1 4 96 97 1 1 a a The individual switches SWto SWof each aspect are individually displayed corresponding to each of the test using the shadow-mode, the test using the redundant system, and the test of the HMI. When the individual switches SWto SWare set to the off state, the vehicleis excluded from the selection of the test target vehicle even if the test management unitin the serverplans the test in the mode corresponding to this switch. That is, the setting information of the switches SWto SWis provided to the server, and the test management unitselects the test target vehicle so that the vehiclethat cannot obtain the consent of the user is excluded from the test target vehicles based on the setting information. For the excluded vehicle, the test consent request and acquisition in conjunction with the timing of the authority transfer are not conducted.

2 4 97 1 1 81 a When the individual switches SWto SWare set to the on state and the test management unitplans the test in the mode corresponding to this switch, the vehiclemay be selected as the test target vehicle. When the vehicleis selected as the test target vehicle, the software application unitacquires the test consent of the user described in the first embodiment again.

70 1 According to the second embodiment described above, the HMI deviceof the vehicleis controlled to provide the user interface UIF that allows the user to set multiple test modes accepted by the user before the timing of requesting the consent of the user. With respect to the test in the test mode that is not accepted, the request for consent at the timing of authority transfer is not required, and thus the inconvenience felt by the user can be reduced.

2 4 2 4 According to the second embodiment, the user interface UIF includes the multiple individual switches SWto SWthat allow the user to individually set whether to accept each of the multiple test modes. The multiple individual switches SWto SWfacilitate customization of the test mode by the user.

1 According to the second embodiment, the user interface UIF includes the participation switch SWthat allows the user to individually set whether to participate in the test itself. The user can set whether to participate in the test by operating one switch.

Although a plurality of embodiments are described above, the present disclosure is not construed as being limited to these embodiments, and can be applied to various embodiments and combinations within a scope that does not depart from the gist of the present disclosure.

25 FIG. 126 126 110 120 120 126 126 102 As another embodiment, as illustrated in, a risk checking unitmay not derive a proper response, and may be mounted specifically for a risk checking functionality. In this example, the risk checking unitacquires situation data from a sensing unit, checks a risk with respect to a behavior of a safety-related object based on the situation data, and outputs a checking result to the planning unit. The planning unitplans driving of the vehicles TTA and TTB according to the checking result acquired from the risk checking unit. The software included in the risk checking unitof the driving systemcan be tested using the shadow-mode. The test consent in the test may be acquired in conjunction with the state transition or the authority transfer as described in the first and second embodiments.

26 FIG. 226 1 202 226 228 228 220 226 55 226 202 c As another embodiment, as illustrated in, a risk checking unitmay be mounted specifically for a recording functionality, not for use in deriving driving and an action of the vehicle, but for use in subsequent verification and validation of a driving system. In this example, the risk checking unitprovides a checking result to a recording unit. The recording unitorganizes the processing result by the planning unitand the checking result by the risk checking unit, and executes recording sequentially or periodically. The recording may be recording to the on-board storage medium. For the software included in the risk checking unitof the driving system, the test may not be executed using the shadow-mode, and the test may not be executed using the redundant system. The test consent in the test may be acquired in conjunction with the state transition or the authority transfer as described in the first and second embodiments.

27 FIG. 302 310 320 330 321 302 As another embodiment, as illustrated in, in a driving system, there is no risk checking unit provided independently of a sensing unit, a planning unit, and an acting unit. Software included in one specific applicationof such a driving systemmay be tested using the shadow-mode. The test consent in the test may be acquired in conjunction with the state transition or the authority transfer as described in the first and second embodiments.

As another embodiment, the management system MS may test one piece of test software for improving safety. When one piece of test software is tested and it is determined that the test software does not have higher performance than the software being applied, the improvement of the driving system may be stopped. When an improved version of the test software is provided, the management system MS may perform the test again using the improved version. The test software may improve performance other than safety.

1 2 1 2 10 FIG. As another embodiment, the test consent may be required from the user in conjunction with the timing of transition from the off state Mto the standby/ready state Millustrated in. For example, when the state transitions from the off state Mto the standby/ready state Min response to the user turning on the automated driving switch, the on operation of the automated driving switch may also consent.

1 2 2 2 2 2 102 202 302 1 1 2 2 2 2 2 102 202 302 The vehicles, TTA, and TTB on which each of the driving systems,A,B,Y,Z,,, andis mounted are not limited to general private cars, and may be a rental vehicle, a manned taxi vehicle, a ride-sharing vehicle, a freight vehicle, a bus, and the like. The vehicles, TTA, and TTB may be right-hand drive vehicles or left-hand drive vehicles. A traffic environment in which the vehicles, TTA, and TTB travel may be a traffic environment in which left-hand traffic is the norm or a traffic environment in which right-hand traffic is the norm. The driving systems,A,B,Y,Z,,, andaccording to the present disclosure may be appropriately optimized in consideration of road traffic laws and customs of each country and region, police investigations, prosecutions, criminal and civil lawsuits regarding traffic accidents, and the like.

The control unit and methods described in the present disclosure may be implemented by a dedicated computer comprising a processor programmed to execute one or more functions embodied by a computer program. Alternatively, the apparatus and methods described in the present disclosure may be implemented by dedicated hardware logic circuits. Further, the apparatus and methods described in the present disclosure may be implemented by one or more dedicated computers configured by a combination of a processor that executes a computer program and one or more hardware logic circuits. The computer program may be stored as instructions executable by a computer on a non-transitory, computer-readable tangible recording medium.

This specification discloses a plurality of technical ideas as set forth in the following disclosure.

at least one processor; and at least one storage medium configured to store at least one piece of software. Automated driving is enabled by operating the software by the processor in a manner of allowing authority transfer between a system itself and a user, the processor is configured to execute requesting consent of the user to perform a test on test software for improving the software, and operating the test software when the consent of the user is acquired, and in requesting consent of the user, the processor requests the consent of the user in conjunction with a timing of the authority transfer. A driving system to be mounted on a vehicle includes:

the test is a test of a functionality related to execution of a dynamic driving task by the user, and in requesting consent of the user, the processor requests the consent of the user in conjunction with a timing of the authority transfer from the system itself to the user. In the driving system according to Technical Idea 1,

in requesting consent of the user, the processor regards, as acquisition of the consent of the user, contact with an operation input device for controlling a motion actuator that causes the vehicle to move when the user starts the dynamic driving task. In the driving system according to Technical Idea 2,

when the timing of the authority transfer from the system itself to the user occurs due to exit of an operational design domain set in advance in the system itself, in requesting consent of the user, the processor regards, as acquisition of the consent, contact with an operation input device for controlling a motion actuator that causes the vehicle to move when the user starts fallback of the dynamic driving task. In the driving system according to Technical Idea 2,

the test is a test of a functionality related to a dynamic driving task by the system itself, and in requesting consent of the user, the processor requests the consent of the user in conjunction with a timing of the authority transfer from the user to the system itself. In the driving system according to Technical Idea 1,

the processor is further configured to control an HMI device of the vehicle to provide a user interface that allows the user to set a plurality of test modes accepted by the user before a timing of requesting the consent of the user to the execution of the test. In the driving system according to any one of Technical Ideas 1 to 5,

the user interface includes a plurality of individual switches that allow the user to individually set whether to accept each of the plurality of test modes. In the driving system according to Technical Idea 6,

the user interface includes a participation switch that allows the user to set whether to participate in the test itself. In the driving system according to Technical Idea 6 or 7,

the processor is configured to prohibit an operation of the test software when the consent is not acquired. In the driving system according to any one of Technical Idea 1 to 8,

requesting, in conjunction with a timing of the authority transfer, consent of the user to perform a test on test software for improving the software; acquiring the consent of the user by sensing an operation of the user on an operation input device of the vehicle in response to the request; operating the test software when the consent of the user is acquired; and prohibiting an operation of the test software when the consent of the user is not acquired. A test method for conducting, in a driving system to be mounted on a vehicle that includes at least one processor and at least one storage medium configured to store at least one piece of software, and that is configured to enable automated driving by operating the software by the processor in a manner of allowing authority transfer between a system itself and a user, a test regarding the software by the processor, is provided. The test method includes:

A management system for managing a driving system the management system includes: a plurality of vehicles each equipped with the driving system; and a server communicably connected to the plurality of vehicles.

Each driving system is configured to enable automated driving by operating software in a manner of allowing authority transfer between a system itself and a user. The server is configured to execute setting test software to be tested on each driving system, and transmitting the test software to each driving systems. Each driving system is configured to execute requesting, in conjunction with a timing of the authority transfer, consent of the user to execution of a test on the test software received from the server, and operating the test software when the consent of the user is acquired.

According to this technical idea, the consent of the user to the conduction of the test of the test software is requested in conjunction with the timing of the authority transfer. That is, the consent to the test software to be used after the authority transfer between the driving system and the user can be acquired together with the authority transfer. Therefore, the validity of conducting the test can be ensured while reducing the inconvenience felt by the user for acquiring the consent. Therefore, a management system suitable for improving the performance of the driving system can be provided.

A management system for managing a driving system includes: a plurality of vehicles each equipped with the driving system; and a server communicably connected to the plurality of vehicles.

Each driving system is configured to execute controlling an HMI device of the vehicle so as to provide a user interface that allows a user to set a mode of a test accepted by the user of the vehicle, and transmitting setting information set by the user using the user interface to the server. The server is configured to execute acquiring the setting information from each of the vehicles, selecting a test target vehicle from the plurality of vehicles, and setting test software for testing the driving system of the test target vehicle among the plurality of vehicles, and transmitting the test software to each driving system, in selection of the test target vehicle, the server excludes, from the test target vehicle, the vehicle for which the consent of the user cannot be obtained based on a mode of the test assumed for the test and the setting information.

According to this technical idea, the HMI device of the vehicle is controlled so as to provide the user interface capable of setting the mode of the test accepted by the user. For the test in the test mode that is not accepted, the vehicle is excluded from the test target vehicles. That is, the user is not requested to agree with the execution of the test in the test mode that is not accepted, and therefore, the inconvenience felt by the user can be reduced. For the management system, the process for the test that cannot obtain the consent of the user can be restricted, and therefore, the processing load can be reduced.

A server includes at least one processor and communicably connected to a plurality of vehicles each equipped with a driving system.

The processor is configured to execute acquiring, from each of the vehicles, setting information set by a user for a mode of a test accepted by the user, selecting a test target vehicle from the plurality of vehicles, setting test software to be tested on the driving system of the test target vehicle among the plurality of vehicles, and transmitting the test software to each driving system. In the selection of the test target vehicle, the processor excludes, from the test target vehicle, a vehicle for which consent of the user cannot be obtained, based on the mode of the test assumed in the test and the setting information.

According to this technical idea, the vehicle for which the consent of the user cannot be obtained is excluded from the test target vehicle based on the setting information on the mode of the test accepted by the user. That is, for the management system, the process for the test for which the consent of the user cannot be obtained can be restricted, and therefore, the processing load can be reduced.